Netflow v9 is not being processed

geertn444 · December 21, 2017, 9:16am

Hello,

I am using 6.x logstash with default netflow plugin.
I am trying to read netflow v9 records from Riverbed Steelhead. V5 works, but when i switch to v9...nothing is displayed (if i run interactively with -f).

In the log, i am seeing the following errors:

[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 302 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,710][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-12-20T17:04:19,711][WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 300 from source id 3203342338, because no template to decode it with has been received. This message will usually go away after 1 minute.

What to do ?

geertn444 · December 21, 2017, 9:27am

Some more info:

logstash 6.0.1
logstash-codec-netflow (3.8.3)

system · January 18, 2018, 9:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.