Hello,
I have configured a CISCO ASA device to send netflow logs to Graylog, when I click on show received messages i don’t see anything, but the packets are comming in. I have seen that many people have this issue have you managed to fix this with a new plugin?
Thanks,
Marius.
Did you checked the time set on your ASA?
does the time on ASA needs too match the time on Graylog?
To answer your question short - no.
@mariusgeonea it should be the same time in your complete environment. That would easy up everything. But I just guessed that your data is send with a timestamp somewhere in the past or in the future. That should be something you might want to check.
i did a search in all messages regarding that input in the last 2 days and nothing worked…
I believe we had this configured for our routers, but not ASA’s. Going to see if that worked for us, will get back in a bit.
for routers works excellent, but for ASA nothing appears. and I think that the problem is with the version of netflow. cisco routers send v5 and ASA send v9. in theory the plugin for the netflow input should work with v9 but for some reason it doesn’t it’s a bit frustrating, but it is what it is…
maybe the graylog team will manage to do something to fix, who knows…
If your input is a syslog input, try a raw input instead and see if you get the messages.
From Asa I’m sending netflow, asa sends only netflow v9 btw, în graylog I have the netflow input. I’m receiving the packets but they are not displayed.
what Version of the Plugin and Graylog did you use?
It would be great if you can contribute some netflow data to us that we can verify and test. You must know that we build everything only based on data users provided to us or we found somewhere. No Vendor was every in direct contact with us or gave us hardware or software we can test with.
Hi Jan,
i have to cisco ASA sending netflow to graylog(one is running the IOS version 9.5.2 and the other one 9.4 )
the graylog version is Graylog v2.4.3+2c41897, and the plugin version is graylog-plugin-netflow-2.4.3.jar
i have the capture from the graylog serve(pcap fromat) but it says that i’m not authorized to upload anything, so i have no idea how can i give you this…
Thanks,
Marius
*i have two cisco ASA
Is there anything interesting in the logs of your Graylog node?
Have you tried using Logstash’s Netflow codec to receive the packets and forward them to Graylog?
You could upload the pcap files into Dropbox, Google Drive, or a similar service and share a link.
Hi Jochen,
i don’t wanna be rude, and i hope it will not sound like i’m rude.
but here is the thing, this is the 2nd time you are replying me, that a workarround is logstash. i know that works till the logstash server crashes or something happens to it.
but then again, if i would want to extensively use logstash for feeding graylog i won’t use graylog at all, i would use ELK right? because if i would run logstash it’s better to runn it kibana and not graylog.
I understand that Graylog is free, and with free support I really appreciate this, but the thing is that if you put a plugin in graylog and you say it should work, then it should work 
i also understand that no vendor want’s to work too much with Graylog team, because they can’t really partner with you for “money” reasons, they choose often to partner with those which sell products to create more money, this is how the industry works.
Anyway if you can’t fix that netflow plugin that is ok, but if graylog team would manage to fix it or somebody else it would be really nice.
More than this it seems i’m not the only one which complained about the netflow issue when ASA sends the netflow logs…
you can find the pcap link here https://drive.google.com/file/d/1lBE54ACuIlyYNAWARBhJA7AVsNXA7lc2/view?usp=sharing
Thanks,
Marius.
Hi Jochen,
i have forgot about the logs from graylog
here they are.
Thanks,
Marius.
2018-04-22T10:34:55.057-04:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=531235f0-463a-11e8-9b7c-000c2954fe77, journalOffset=4675781, codec=netflow, payloadSize=414, timestamp=2018-04-22T14:34:55.055Z, remoteAddress=/10.17.248.2:46664} on input <5ad97fa6a8b62b32a579949b>.
2018-04-22T10:34:55.060-04:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=531235f0-463a-11e8-9b7c-000c2954fe77, journalOffset=4675781, codec=netflow, payloadSize=414, timestamp=2018-04-22T14:34:55.055Z, remoteAddress=/10.17.248.2:46664}
java.lang.NullPointerException: null
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessageString(NetFlowFormatter.java:54) ~[?:?]
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessage(NetFlowFormatter.java:119) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$2(NetFlowCodec.java:160) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_161]
at java.util.Collections$2.tryAdvance(Collections.java:4717) ~[?:1.8.0_161]
at java.util.Collections$2.forEachRemaining(Collections.java:4725) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$3(NetFlowCodec.java:161) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeV9(NetFlowCodec.java:163) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:134) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:148) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
2018-04-22T10:35:00.670-04:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=566a88b0-463a-11e8-9b7c-000c2954fe77, journalOffset=4675917, codec=netflow, payloadSize=387, timestamp=2018-04-22T14:35:00.667Z, remoteAddress=/10.17.248.2:46664} on input <5ad97fa6a8b62b32a579949b>.
2018-04-22T10:35:00.670-04:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=566a88b0-463a-11e8-9b7c-000c2954fe77, journalOffset=4675917, codec=netflow, payloadSize=387, timestamp=2018-04-22T14:35:00.667Z, remoteAddress=/10.17.248.2:46664}
java.lang.NullPointerException: null
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessageString(NetFlowFormatter.java:54) ~[?:?]
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessage(NetFlowFormatter.java:119) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$2(NetFlowCodec.java:160) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_161]
at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$3(NetFlowCodec.java:161) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeV9(NetFlowCodec.java:163) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:134) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:148) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
2018-04-22T10:35:09.005-04:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=5b6281b0-463a-11e8-9b7c-000c2954fe77, journalOffset=4676089, codec=netflow, payloadSize=610, timestamp=2018-04-22T14:35:09.003Z, remoteAddress=/10.17.248.2:46664} on input <5ad97fa6a8b62b32a579949b>.
2018-04-22T10:35:09.005-04:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=5b6281b0-463a-11e8-9b7c-000c2954fe77, journalOffset=4676089, codec=netflow, payloadSize=610, timestamp=2018-04-22T14:35:09.003Z, remoteAddress=/10.17.248.2:46664}
java.lang.NullPointerException: null
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessageString(NetFlowFormatter.java:54) ~[?:?]
at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessage(NetFlowFormatter.java:119) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$2(NetFlowCodec.java:160) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_161]
at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$3(NetFlowCodec.java:161) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_161]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_161]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_161]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_161]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_161]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeV9(NetFlowCodec.java:163) ~[?:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:134) ~[?:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:148) ~[graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
2018-04-22T10:35:14.818-04:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=5ed958f0-463a-11e8-9b7c-000c2954fe77, journalOffset=4676227, codec=netflow, payloadSize=930, timestamp=2018-04-22T14:35:14.815Z, remoteAddress=/10.17.248.2:46664} on input <5ad97fa6a8b62b32a579949b>.
2018-04-22T10:35:14.818-04:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=5ed958f0-463a-11e8-9b7c-000c2954fe77, journalOffset=4676227, codec=netflow, payloadSize=930, timestamp=2018-04-22T14:35:14.815Z, remoteAddress=/10.17.248.2:46664}
so, what is the solution then?
Subscribe to the referenced issue on GitHub to get notified when it’s being fixed.
ok, thanks 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
