Hello
I’m trying to use an ipfix input with my stormshield UTM, it has several proprietary fields that, according to docs, need to be specified in custom .json file, here’s how those fields look like in wireshark:
so how resulting json should look like? i mean i was basing mine on what i found on this forum and docs and came up with something like this:
{
"enterprise_number": 11256,
"information_elements": [
{
"element_id": 1,
"name": "stormshield_1",
"data_type": "ipv4Address"
},
{
"element_id": 3,
"name": "stormshield_3",
"data_type": "ipv4Address"
},
{
"element_id": 4,
"name": "stormshield_4",
"data_type": "unsigned8"
},
{
"element_id": 5,
"name": "stormshield_5",
"data_type": "string"
}
]
}
and i still get errors in logs, anyway i don’t have any clue about what those fields should represent, Stormshield doesn’t provide any docs about it,
alternatively is there any way to ignore those messages or ignore/mute errors resulting from message decoding fails? because it sh*ts a lot in my logs and i’m not comfortable with that;-)
EDIT: tried this:
{
"enterprise_number": 11256,
"information_elements": [
{
"element_id": 1,
"name": "stormshield_1",
"data_type": "unsigned32"
},
{
"element_id": 3,
"name": "stormshield_3",
"data_type": "unsigned32"
},
{
"element_id": 4,
"name": "stormshield_4",
"data_type": "unsigned8"
},
{
"element_id": 5,
"name": "stormshield_5",
"data_type": "octetArray"
}
]
}
still doesn’t work