[netfow codec] Can't (yet) decode flowset

Elastic Stack Logstash
1

Another day another something strange happening.

Copied a VM running 5.4, upgraded to 5.6.1 => 5.6.2. No problem.

Same VM, upgraded 5.4 directly to 5.6.2. Now netflow can't decode the flowset and no the problem is not going away after a few minutes. Tried waiting, rebooting etc. but nothing helps.

[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 257 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 257 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 257 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,330][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:06,331][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2017-10-04T16:21:08,502][WARN ][logstash.codecs.netflow  ] Can't (yet) decode flowset id 261 from source id 1, because no template to decode it with has been received. This message will usually go away after 1 minute.
2

Can you show us your config?

3

I can.

input {
   udp {
     port => 9995
	type => "netflow"
	codec => netflow {
	versions => [9]
}
}
}

filter {
  if [type] == "netflow" {
  mutate {
    add_field => {
      "[netflow][ipv4_dst_host]" => "%{[netflow][ipv4_dst_addr]}"
      "[netflow][ipv4_src_host]" => "%{[netflow][ipv4_src_addr]}"
    }
  }

  if ([netflow][l4_dst_port]) {
   mutate {
     add_field => {
      "[netflow][l4_dst_port_translation]" => "%{[netflow][l4_dst_port]}"
     }
   } 
  }

  translate {
    dictionary_path => '/etc/logstash/port_translation.yaml'
    field => "[netflow][l4_dst_port_translation]"
    override => true
    destination => "[netflow][l4_dst_port_translation]"
  }

  dns {
    action => 'replace'
    reverse => "[netflow][ipv4_dst_host]"
  }

  dns {
  action => 'replace'
  reverse => "[netflow][ipv4_src_host]"
  }
}
}

output {
if [type] == "netflow" {
elasticsearch {
hosts => localhost
index => "netflow-%{+YYYY.MM.dd}"
}
}
}

I made no changes to the config between 5.4 and 5.6.

4

Definitely interested to hear if anyone's been able to solve this.

5

I couldn't get it working on my Ubuntu install that is shared with Elastic but I did a separate Logstash only install on Xubuntu and that one works.

6

Sjaak01, do you have the java dev kit installed, or just the JRE? Not 100% sure yet but starting to think that this is because when the plugin is downloaded it needs the JDK to build it locally. At least, that's assuming our issues have a common cause.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.