logstash-codec-netflow
logstash-codec-netflow copied to clipboard
Published
20 hours ago •
logstash-plugins
logstash-plugins
IPFIX // Unsupported enterprise {:enterprise=>42359}
Logstash information:
- Logstash version: 8.6.2
- Logstash installation source: docker.elastic.co/logstash/logstash
- How is Logstash being run:
docker run --detach --name logstash2 --restart always --network host --volume $(pwd)/pipeline/:/usr/share/logstash/pipeline/ docker.elastic.co/logstash/logstash:8.6.2 - How was the Logstash Plugin installed:
docker exec -ti -u logstash logstash /bin/bash
bin/logstash-plugin install logstash-output-syslog
JVM (e.g. java -version):
using the bundled JDK
Description of the problem including expected versus actual behavior:
Netflow v10/IPFIX data could not be ingested due to unsupported enterprise.
message repeating constantly:
Can't (yet) decode flowset id 317 from observation domain id 6422528, because no template to decode it with has been received. This message will usually go away after 1 minute.
once a minute:
Unsupported enterprise {:enterprise=>42359}
Steps to reproduce:
logstash pipeline
input {
udp {
port => 1234
tags => [ "netflow_sdwan" ]
codec => netflow
type => ipfix
}
}
netflow/IPFIX template extracted from packet capture:
Cisco NetFlow/IPFIX
Version: 10
Observation Domain Id: 6422528
Set 1 [id=2] (Data Template): 317
FlowSet Id: Data Template (V10 [IPFIX]) (2)
FlowSet Length: 96
Template (Id = 317, Count = 18)
Template Id: 317
Field Count: 18
Field (1/18): IP_SRC_ADDR
0... .... .... .... = Pen provided: No
.000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
Length: 4
Field (2/18): IP_DST_ADDR
0... .... .... .... = Pen provided: No
.000 0000 0000 1100 = Type: IP_DST_ADDR (12)
Length: 4
Field (3/18): L4_SRC_PORT
0... .... .... .... = Pen provided: No
.000 0000 0000 0111 = Type: L4_SRC_PORT (7)
Length: 2
Field (4/18): L4_DST_PORT
0... .... .... .... = Pen provided: No
.000 0000 0000 1011 = Type: L4_DST_PORT (11)
Length: 2
Field (5/18): PROTOCOL
0... .... .... .... = Pen provided: No
.000 0000 0000 0100 = Type: PROTOCOL (4)
Length: 1
Field (6/18): DIRECTION
0... .... .... .... = Pen provided: No
.000 0000 0011 1101 = Type: DIRECTION (61)
Length: 1
Field (7/18): lineCardId
0... .... .... .... = Pen provided: No
.000 0000 1000 1101 = Type: lineCardId (141)
Length: 4
Field (8/18): 522 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0000 1010 = Type: 522 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (9/18): 574 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0011 1110 = Type: 574 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (10/18): flowStartMilliseconds
0... .... .... .... = Pen provided: No
.000 0000 1001 1000 = Type: flowStartMilliseconds (152)
Length: 8
Field (11/18): flowEndMilliseconds
0... .... .... .... = Pen provided: No
.000 0000 1001 1001 = Type: flowEndMilliseconds (153)
Length: 8
Field (12/18): INPUT_SNMP
0... .... .... .... = Pen provided: No
.000 0000 0000 1010 = Type: INPUT_SNMP (10)
Length: 4
Field (13/18): OUTPUT_SNMP
0... .... .... .... = Pen provided: No
.000 0000 0000 1110 = Type: OUTPUT_SNMP (14)
Length: 4
Field (14/18): BYTES_TOTAL
0... .... .... .... = Pen provided: No
.000 0000 0101 0101 = Type: BYTES_TOTAL (85)
Length: 8
Field (15/18): PACKETS_TOTAL
0... .... .... .... = Pen provided: No
.000 0000 0101 0110 = Type: PACKETS_TOTAL (86)
Length: 8
Field (16/18): 540 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0001 1100 = Type: 540 [pen: Versa Networks, Inc]
Length: 2
PEN: Versa Networks, Inc (42359)
Field (17/18): 519 [pen: Versa Networks, Inc]
1... .... .... .... = Pen provided: Yes
.000 0010 0000 0111 = Type: 519 [pen: Versa Networks, Inc]
Length: 4
PEN: Versa Networks, Inc (42359)
Field (18/18): IP_TOS
0... .... .... .... = Pen provided: No
.000 0000 0000 0101 = Type: IP_TOS (5)
Length: 1
