The version of Graylog I am using is 4.01 and I’d like to collect logs from IPFIX.
I’ve followed the below article:
https://docs.graylog.org/en/latest/pages/integrations/inputs/ipfix_input.html
Right after that Graylog started processing logs but they didn’t show up in dashboard. I found there were some errors in logs while trying to parse data:
org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 29305
org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 45346
Then I included json files for translating incoming logs for both velocloud (45346 ) and ipfix (29305):
45346: VMware Knowledge Base
29305: IP Flow Information Export (IPFIX) Entities
At this moment I am encountering the following error in graylog.log:
2021-05-31T07:25:01.846Z ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=4ff8a630-c1e1-11eb-a4f5-005056919081, journalOffset=44413432, codec=ipfix, payloadSize=1817, timestamp=2021-05-31T07:25:01.843Z, remoteAddress=/172.23.9.132:54112} on input <60af6f3b3f1dd3671d48e2fc>.
2021-05-31T07:25:01.846Z ERROR [DecodingProcessor] Error processing message RawMessage{id=4ff8a630-c1e1-11eb-a4f5-005056919081, journalOffset=44413432, codec=ipfix, payloadSize=1817, timestamp=2021-05-31T07:25:01.843Z, remoteAddress=/172.23.9.132:54112}
java.lang.NullPointerException: null
at org.graylog.integrations.ipfix.IpfixParser.parseDataSet(IpfixParser.java:338) ~[?:?]
at org.graylog.integrations.ipfix.codecs.IpfixCodec.lambda$decodeMessages$3(IpfixCodec.java:206) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_282]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_282]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_282]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_282]
at org.graylog.integrations.ipfix.codecs.IpfixCodec.decodeMessages(IpfixCodec.java:212) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:147) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:90) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
The version of Graylog I am using is 4.01 and I’d like to collect logs from IPFIX.
I’ve followed the below article:
https://docs.graylog.org/en/latest/pages/integrations/inputs/ipfix_input.html
Right after that Graylog started processing logs but they didn’t show up in dashboard. I found there were some errors in logs while trying to parse data:
Then I included json files for translating incoming logs for both velocloud (45346 ) and ipfix (29305):
45346: VMware Knowledge Base
29305: IP Flow Information Export (IPFIX) Entities
At this moment I am encountering the following error in graylog.log: