Unknown setting 'definitions' for netflow!

bzaki · June 28, 2016, 7:00am

Hello,

I'm trying to use ELK to collect netflows. I'm using logstash 2.3.3 . But when I use the configuration option 'definitions' I get the error "Unknown setting 'definitions' for netflow". Here's my config file below:

udp {
  port => 4739
  codec => netflow {
    definitions => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-netflow-2.1.0/lib/logstash/codecs/netflow/netflow.yaml"
    versions => [9]
 }

}

solidz · June 28, 2016, 1:41pm

+1 !!

It works with Logstash 2.3.2, but not with Logstash 2.3.3 for me

bzaki · June 29, 2016, 6:41am

So you mean that I should downgrade to 2.3.2 ??

solidz · June 29, 2016, 7:14am

I downgrade to 2.3.2 because I can't resolve this issue in 2.3.3

But I will try to find the problem, and if I find the solution, I will post a comment here.

bzaki · June 29, 2016, 7:15am

Thank you.

bzaki · June 29, 2016, 7:16am

Did you try to capture ipfix or you are just capturing netflow?

solidz · June 29, 2016, 7:23am

Just "Flexible NetFlow (v9)" (for Cisco NX-OS and Cisco ASA) but one day I will try with IPFIX to see differences between IPFIX and NF

solidz · June 29, 2016, 7:44am

It's very strange.
When I test the configuration file with "service logstash configtest" in Logstash 2.3.2, the output is :
"Configuration OK"

But in Logstash 2.3.3 I have :
"Unknown setting 'definitions' for netflow {:level=>:error}
The given configuration is invalid. Reason: Something is wrong with your configuration. {:level=>:fatal}"

It's the same for you ? Do you tried with Logstash 2.3.2 ?

Your configuration file seems good. I think that this issue is bound to the version of Logstash. Maybe plugin NetFlow is not compatible with this upgrade. I continue to search.

magnusbaeck · June 29, 2016, 7:51am

Logstash 2.3.3 included a upgrade of the netflow codec from 2.0.5 to 2.1.0. It appears 2.1.0 replaced definitions with netflow_definitions and ipfix_definitions. It seems the Logstash 2.3 documentation listed as current on elastic.co doesn't actually include this update, but you can read the raw documentation at https://github.com/logstash-plugins/logstash-codec-netflow/blob/v2.1.0/lib/logstash/codecs/netflow.rb.

solidz · June 29, 2016, 8:06am

Oh nice it works !! Thanks

bzaki · June 29, 2016, 8:56am

Yes, thank you it worked perfectly. But I just have one more inquiry, Is there a problem to collect ipfix flows using netflow codec if I used ipfix definitions like the configuration below? Or do I have to use ipfix codec? Because I'm facing dependency problems while installing logstash-codec-ipfix.

input { udp { port => 4739 codec => netflow { netflow_definitions => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-netflow-2.1.0/lib/logstash/codecs/netflow/ipfix.yaml" versions => [10] target => ipfix } type => ipfix } }

output {
stdout { codec => rubydebug }
elasticsearch {
index => "logstash_ipfix-%{+YYYY.MM.dd}"
hosts => "localhost"
}
}

Error log:

No matching template for flow id 271 {:level=>:warn, :file=>"logstash/codecs/netflow.rb", :line=>"409", :method=>"decode_ipfix"}

solidz · June 29, 2016, 10:43am

I know this error. You recover a field who is not referency in the netflow codec.
What is your IPFIX configuration on your router ?