logstash-codec-netflow icon indicating copy to clipboard operation
logstash-codec-netflow copied to clipboard

Published 20 hours ago verified publisher icon logstash-plugins

Reduced-size encoding for uint32 is larger than uint32 {:field=>[:uint32, :conn_id]

Open davewat opened this issue 5 years ago • 4 comments

Docker Container Logstash 7.3 logstash-codec-netflow

Receiving Netflow from Palo Alto

Millions of errors: [logstash.codecs.netflow ] Reduced-size encoding for uint32 is larger than uint32 {:field=>[:uint32, :conn_id], :length=>8}

No data.

davewat avatar Aug 01 '19 18:08 davewat

Issue is invalid field definition for EID 148. Wrong data type is causing the error. The name is also incorrect. Will submit PR with fix.

davewat avatar Aug 01 '19 18:08 davewat

This issue is still relevant as of 4.2.1. Merging this PR would be very helpful.

jgilman-od avatar Feb 25 '20 19:02 jgilman-od

Seeing the same error using V 7.16.1. Is there any workaround?

thealy avatar Jan 21 '22 15:01 thealy

I found that Filebeat handles Netflow very well, and doesn't have this (or other) issues, so we switched over for Netflow. It is a simple listener that forwards everything over to a Kafka topic where we process it further. To help anyone get started, I've included a sample of my config. YMMV:

filebeat.inputs:
- type: netflow
  max_message_size: 10KiB
  host: "0.0.0.0:2055"
  protocols: [ v5, v9, ipfix ]
  expiration_timeout: 30m
  queue_size: 8192
  #custom_definitions:
  #- /data/override.yml
  detect_sequence_reset: true
  
processors:
  - add_tags:
      tags: [netflow]
  - add_fields:
      target: ''
      fields:
        log.group: netflow

output.kafka:
  # initial brokers for reading cluster metadata
  enabled: true
  hosts: ["10.10.10.1:9092", "10.10.10.2:9092", "10.10.10.3:9092"]
  topic: "raw"

logging.level: debug
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

davewat avatar Jan 27 '22 13:01 davewat