Hi!
We are trying Graylog as our central logging system and also want to collect netflow data.
I enabled the “Netflow UDP” input.
I configured netflow on two HP Proxcurve Switches.
Data is send to the Graylog server but never appears in Graylog.
/var/log/graylog-server/server.log is rapidly filling up with these messages:
2018-12-18T09:48:23.949Z ERROR [NetFlowCodec] Error parsing NetFlow packet <0f8326a0-02aa-11e9-a019-0800273d26e9> received from
org.graylog.plugins.netflow.flows.InvalidFlowVersionException: Invalid NetFlow version 0
at org.graylog.plugins.netflow.v5.NetFlowV5Parser.parseHeader(NetFlowV5Parser.java:68) ~[graylog.jar:?]
at org.graylog.plugins.netflow.v5.NetFlowV5Parser.parsePacket(NetFlowV5Parser.java:34) ~[graylog.jar:?]
at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:128) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:148) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:91) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
I wrote a tcpdump file and checked it with Wireshark. Wireshark recognizes it as valid sFlow v5 packet.
Any ideas? Is there a known problem with Netflow data from HP Procurve switches?
For analysis, I am also able to provide the tcpdump file.
Thanks
Markus