Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CISCO SD WAN HSL Can't (yet) decode flowset id #211

Open
SorinCeaus opened this issue Jan 25, 2025 · 1 comment
Open

CISCO SD WAN HSL Can't (yet) decode flowset id #211

SorinCeaus opened this issue Jan 25, 2025 · 1 comment
Labels
bug status:needs-info

Comments

@SorinCeaus
Copy link

SorinCeaus commented Jan 25, 2025
edited
Loading

Logstash v8.15.1 classical VM installation run as a service on RH9.
Netflow codec plugin v4.3.2

Using following config :

input {
  tcp {
    port => 15055
    host => "0.0.0.0"
    codec => netflow {
      versions => [5, 9, 10]
      cache_ttl => 12000
      cache_save_path => "/tmp"
      include_flowset_id => true
      }
  }
  udp {
    port => 15055
    host => "0.0.0.0"
    codec => netflow {
      versions => [5, 9, 10]
      cache_ttl => 12000
      cache_save_path => "/tmp"
      include_flowset_id => true
      }
  }
}

Netflow exporter is a CISCO SD WAN HSL sending v9 and v10 ipfix, template is sent OK (present in pcap) and file is created in /tmp/

cat /tmp/ipfix_templates.cache
{"6|257":[["string","applicationId",{"length":4,"trim_padding":true}],["string","applicationName",{"length":24,"trim_padding":true}],["string","applicationDescription",{"length":55,"trim_padding":true}]],"6|258":[["uint32","ingressInterface"],["string","interfaceName",{"length":33,"trim_padding":true}],["string","interfaceDescription",{"length":65,"trim_padding":true}],["uint32","egressInterface"]]}

but still we get this in logstash-plain.log (of course, it doesn't go away):

[2025-01-25T21:09:52,414][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 409 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:52,414][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 413 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:52,414][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 409 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:52,869][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 318 from observation domain id 512, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:53,078][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 409 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:53,134][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 379 from observation domain id 512, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:53,488][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 412 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:53,818][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 412 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:54,039][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 409 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:54,080][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Invalid netflow packet received (value '0' not as expected for obj.records[1].flowset_data.templates[0].scope_length)
[2025-01-25T21:09:54,091][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 418 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:54,091][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 417 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
[2025-01-25T21:09:54,092][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 433 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,093][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 432 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,093][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 431 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,093][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 430 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,093][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 429 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,094][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 428 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,095][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Unsupported field in template 427 {:type=>35001, :length=>2}
[2025-01-25T21:09:54,095][WARN ][logstash.codecs.netflow  ][NetFlow_TEST][71011548a455c721f7adeedc88b61bcaa1caf3bf67a704dea16cc1720a9c0722] Can't (yet) decode flowset id 417 from source id 300, because no template to decode it with has been received. This message will usually go away after 1 minute.
@SorinCeaus SorinCeaus added the bug label Jan 25, 2025
@flexitrev
Copy link

Have you tried supplying your own definitions for the unsupported fields?
https://github.com/logstash-plugins/logstash-codec-netflow/blob/main/docs/index.asciidoc#ipfix_definitions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug status:needs-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robbavey @SorinCeaus @flexitrev