logstash-plugins/logstash-codec-netflow

Can't (yet) decode flowset id 261 from source id 0, because no template to decode it with has been received. This message will usually go away after 1 minute.

GerryLon opened this issue · 2 comments

GerryLon commented

Part of logstash's log

... Invalid netflow pack et received (value '0' not as expected for obj.records[0].flowset_data.templates [0].scope_length)
[2019-04-19T11:04:47,173][WARN ][logstash.codecs.netflow ] Can't (yet) decode f lowset id 261 from source id 0, because no template to decode it with has been r eceived. This message will usually go away after 1 minute.
[2019-04-19T11:04:47,173][WARN ][logstash.codecs.netflow ] Can't (yet) decode f lowset id 260 from source id 0, because no template to decode it with has been r eceived. This message will usually go away after 1 minute.
[2019-04-19T11:04:47,173][WARN ][logstash.codecs.netflow ] Can't (yet) decode f lowset id 256 from source id 0, because no template to decode it with has been r eceived. This message will usually go away after 1 minute.
[2019-04-19T11:04:48,513][WARN ][logstash.codecs.netflow ] Invalid netflow pack et received (value '0' not as expected for obj.records[0].flowset_data.templates
...

Other

  • Netflow Generating Device: CISCO 2911/K9
  • Version: logstash-codec-netflow (3.14.1)
  • Operating System: CentOS Linux release 7.6.1810 (Core) (kernel: 3.10.0-957.el7.x86_64)
  • Config File:

input {
  # Netflow
  udp {
    id => "input_udp_netflow_ipv4"
    host => "${ELASTIFLOW_NETFLOW_IPV4_HOST:0.0.0.0}"
    port => "${ELASTIFLOW_NETFLOW_IPV4_PORT:2055}"
    workers => "${ELASTIFLOW_NETFLOW_UDP_WORKERS:4}"
    queue_size => "${ELASTIFLOW_NETFLOW_UDP_QUEUE_SIZE:2048}"
    receive_buffer_bytes => "${ELASTIFLOW_NETFLOW_UDP_RCV_BUFF:33554432}"
    codec => netflow {
      versions => [5,9,10]
      include_flowset_id => "true"
      netflow_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/netflow.yml"
      ipfix_definitions => "${ELASTIFLOW_DEFINITION_PATH:/etc/logstash/elastiflow/definitions}/ipfix.yml"
    }
    type => "netflow"
  }
}

  • Sample Data:
    Please see attachment: flow.zip.
    flow.zip

  • Steps to Reproduce:
    I deploy logstash by kubernetes. I'm very glad to supply my environment information If you need.

Many Thanks!

GerryLon commented

Same error occurred when i update logstash-codec-netflow to version 4.2.1.

GerryLon commented

In fact, There is no template with id 261 sent by my router, werid.