You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
first.pcap.zip
Logstash receives the attached packets (template and flow packets) but it seems to drop the flow packet with the error
[WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 2048 from observation domain id 1010, because no template to decode it with has been received. This message will usually go away after 1 minute.
Subsequent flow packets seem to parsed and it is showing up in kibana UI.
I need help in figuring out why this first flow packet alone is dropped even though template packet is coming before the flow packet.
I'm using these versions
logstash 6.4.3
logstash-codec-netflow (3.14.1)
I have a netflow codec configuration for UDP messages similar to this
codec
{
** versions => [5,9,10]**
** target => "ipfix"**
** cache_save_path => "/usr/..."**
** ipfix_definitions => "...path to ipfix.yml file"**
}
Always, the first flow packet for a new domain ID is dropped by logstash.
Pcap captured on logstash while getting this issue
first.pcap.zip first.pcap.zip
I'm using pmacctd as flow exporter which sends template just before sending the first flow packet
The text was updated successfully, but these errors were encountered:
first.pcap.zip
Logstash receives the attached packets (template and flow packets) but it seems to drop the flow packet with the error
[WARN ][logstash.codecs.netflow ] Can't (yet) decode flowset id 2048 from observation domain id 1010, because no template to decode it with has been received. This message will usually go away after 1 minute.
Subsequent flow packets seem to parsed and it is showing up in kibana UI.
I need help in figuring out why this first flow packet alone is dropped even though template packet is coming before the flow packet.
I'm using these versions
logstash 6.4.3
logstash-codec-netflow (3.14.1)
I have a netflow codec configuration for UDP messages similar to this
codec
{
** versions => [5,9,10]**
** target => "ipfix"**
** cache_save_path => "/usr/..."**
** ipfix_definitions => "...path to ipfix.yml file"**
}
Always, the first flow packet for a new domain ID is dropped by logstash.
Pcap captured on logstash while getting this issue
first.pcap.zip
first.pcap.zip
I'm using pmacctd as flow exporter which sends template just before sending the first flow packet
The text was updated successfully, but these errors were encountered: