Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPFIX Input issue #861

Open
aazherelyeu opened this issue Jun 1, 2021 · 0 comments
Open

IPFIX Input issue #861

aazherelyeu opened this issue Jun 1, 2021 · 0 comments

Comments

@aazherelyeu
Copy link

The version of Graylog I am using is 4.01 and I’d like to collect logs from IPFIX.

I’ve followed the below article:
https://docs.graylog.org/en/latest/pages/integrations/inputs/ipfix_input.html

Right after that Graylog started processing logs but they didn’t show up in dashboard. I found there were some errors in logs while trying to parse data:

org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 29305
org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 45346

Then I included json files for translating incoming logs for both velocloud (45346 ) and ipfix (29305):

45346: VMware Knowledge Base
29305: IP Flow Information Export (IPFIX) Entities

At this moment I am encountering the following error in graylog.log:

2021-05-31T07:25:01.846Z ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=4ff8a630-c1e1-11eb-a4f5-005056919081, journalOffset=44413432, codec=ipfix, payloadSize=1817, timestamp=2021-05-31T07:25:01.843Z, remoteAddress=/172.23.9.132:54112} on input <60af6f3b3f1dd3671d48e2fc>.
2021-05-31T07:25:01.846Z ERROR [DecodingProcessor] Error processing message RawMessage{id=4ff8a630-c1e1-11eb-a4f5-005056919081, journalOffset=44413432, codec=ipfix, payloadSize=1817, timestamp=2021-05-31T07:25:01.843Z, remoteAddress=/172.23.9.132:54112}
java.lang.NullPointerException: null
at org.graylog.integrations.ipfix.IpfixParser.parseDataSet(IpfixParser.java:338) ~[?:?]
at org.graylog.integrations.ipfix.codecs.IpfixCodec.lambda$decodeMessages$3(IpfixCodec.java:206) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_282]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1384) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_282]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_282]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_282]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:566) ~[?:1.8.0_282]
at org.graylog.integrations.ipfix.codecs.IpfixCodec.decodeMessages(IpfixCodec.java:212) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:147) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:90) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
@bernd bernd transferred this issue from Graylog2/graylog2-server Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants