NetFlow v9 not working (Palo Alto)

Palo Alto devices use NetFlow v9, I used to use the available plugin (https://github.com/Graylog2/graylog-plugin-netflow/releases) for NetFlow when I was on Graylog v.2.2.x. While it worked it did so only for a while, Graylog became unresponsive after a while so I stopped using it. But it did work previously, I could see the messages.

I now upgraded to Graylog 2.3.1 and wanted to try the newest NetFlow plugin again. I tested with pretty much all the recent versions and while I can see that messages are comming to the Graylog server under Metrics\incomingMessages, but they are not displayed.

Can anyone please help me out.

If you’re using the latest version of the plugin compatible with your version of Graylog and it still doesn’t work, please open an issue on GitHub at https://github.com/Graylog2/graylog-plugin-netflow/issues and attach a pcap of the NetFlow traffic which you created with tcpdump or Wireshark.

Thank you for your reply. I was thinking it’s a Java issue, it doesn’t say which one is needed.

http://docs.graylog.org/en/2.3/pages/installation.html#system-requirements

Oracle Java SE 8 (OpenJDK 8 also works; latest stable update is recommended)

It appears it’s a parsing issue:

{"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Can't parse [index] value [not_analyzed] for field [nf_ipv4_src_addr], expected [true] or [false]"}}

I’d appreciate if you could help me fix this?

Check the index templates in your Elasticsearch cluster and make sure that they’re compatible with the Elasticsearch version you’re using.

• http://docs.graylog.org/en/2.3/pages/configuration/elasticsearch.html#custom-index-mappings
• https://www.elastic.co/guide/en/elasticsearch/reference/5.6/indices-templates.html

It might also help if you’ll cycle the active write index on the System / Indices / Index Set page on the “Maintenance” menu.

jochen, thanks again, but I’m unable to determine if they’re compatible, I expected to find the field nf_ipv4_src_addr in the templates, but haven’t so far. I also cycled the active write index, but it didn’t help. I’ve uploaded the curl output for the templates if that might help: https://pastebin.com/2xrXgRma .

Can anyone please help me out. We’re not getting our netflow data and I don’t know where to look.

hi,

looking at the graylog-internal template it looks like one for an older version of Elasticsearch. You could try deleting the graylog-internal template and reboot graylog node to recreate it, as recommended by Jochen in an earlier ES version change.

https://groups.google.com/forum/#!topic/graylog2/TcEamqvHT_0

After that, check you have a new graylog-internal template, which does not have string type fields, but text and keyword types. If OK, then cycle the active write index.

Thank you jtkarvo. I tried to perform the steps you and jochen suggested, but I’m having some issues deleting and getting the template to generate.

I performed a snapshot on my Graylog OVA VM and performed the following steps:

ubuntu@graylog:~ curl -X GET 'http://localhost:9200/_template/graylog-internal' {"graylog-internal":{"order":-1,"template":"graylog_*","settings":{"index":{"analysis":{"analyzer":{"analyzer_keyword":{"filter":"lowercase","tokenizer":"keyword"}}}}},"mappings":{"message":{"_source":{"enabled":true},"dynamic_templates":[{"internal_fields":{"mapping":{"type":"keyword"},"match":"gl2_*"}},{"store_generic":{"mapping":{"index":"not_analyzed"},"match":"*"}}],"properties":{"full_message":{"fielddata":false,"analyzer":"standard","type":"text"},"streams":{"type":"keyword"},"source":{"fielddata":true,"analyzer":"analyzer_keyword","type":"text"},"message":{"fielddata":false,"analyzer":"standard","type":"text"},"timestamp":{"format":"yyyy-MM-dd HH:mm:ss.SSS","type":"date"}}}},"aliases":{}}}ubuntu@graylog:~ curl -X DELETE ‘http://localhost:9200/_template/graylog-internal’
{“acknowledged”:true}ubuntu@graylog:~$ sudo reboot

Broadcast message from ubuntu@graylog
(/dev/pts/1) at 20:06 …

The system is going down for reboot NOW!
Welcome to Graylog (GNU/Linux 4.4.0-53-generic x86_64)

• Documentation: http://docs.graylog.org/en/latest/pages/installation.html#virtual-machine-appliances
  Last login: Mon Oct 23 20:02:51 2017 from 10.10.201.13
  ubuntu@graylog:~ curl -X GET 'http://localhost:9200/_template/graylog-internal' {}ubuntu@graylog:~

It appears that I deleted it just fine, but when I rebooted, a new one wasn’t created. Am I doing something wrong?

I did that once and it created a new graylog-internal. But actually, if you look at the curl output before you deleted it, it is different than the one you posted earlier (it is already ES5 compliant).

You could try recycling the index, if it worked. If that does not help, I hope Jochen has a good suggestion.

jtkarvo and Jochen, thank you, thank you thank. Apparently the previous index just took some time, because I have netflow working now, couldn’t be happier!

I took a look around and there doesn’t seem to be a way to donate to Graylog or am I missing something?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.