Netflow v9 Template (Logstash 5.4, Cisco 4500X, Netflow v9)

Been scouring the forums and can't crack this one. I have a 4500X sending v9 Netflows with the following flow record defined (IOS is 152-4.E4):

flow record elk

match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect routing forwarding-status
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last

Even after several hours, logstash is throwing:

[2017-05-21T09:57:52,302][WARN ][logstash.codecs.netflow  ] Unsupported field in template 257 {:type=>144, :length=>4}
[2017-05-21T09:57:52,302][WARN ][logstash.codecs.netflow  ] No matching template for flow id 257
[2017-05-21T09:58:07,302][WARN ][logstash.codecs.netflow  ] Unsupported field in template 257 {:type=>144, :length=>4}
[2017-05-21T09:58:07,302][WARN ][logstash.codecs.netflow  ] No matching template for flow id 257
[2017-05-21T09:58:22,300][WARN ][logstash.codecs.netflow  ] Unsupported field in template 257 {:type=>144, :length=>4}
[2017-05-21T09:58:22,301][WARN ][logstash.codecs.netflow  ] No matching template for flow id 257
[2017-05-21T09:58:37,304][WARN ][logstash.codecs.netflow  ] Unsupported field in template 257 {:type=>144, :length=>4}

A CFLOW decoded pcap of the data shows:

image.png875×611 14.7 KB

Anyone any ideas on this? Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.