graylog2 / graylog-plugin-netflow Goto Github PK

View Code? Open in Web Editor NEW

39.0 31.0 17.0 629 KB

[DEPRECATED] Graylog NetFlow plugin

Home Page: https://www.graylog.org/

License: Apache License 2.0

Java 100.00%

netflow netflow-data graylog graylog-plugin monitoring network-analysis network-monitoring input

graylog-plugin-netflow's Introduction

DEPRECATION NOTICE

This project has been merged into graylog2-server, see #26

Please use the issue tracker in the graylog2-server repository for any feature requests or bug reports.

NetFlow Plugin for Graylog

This plugin provides a NetFlow UDP input to act as a Flow collector that receives data from Flow exporters. Each received Flow will be converted to a Graylog message.

Required Graylog version: 2.3.0 and later

Supported NetFlow Versions

The version of the plugin now supports NetFlow V9. It can support IPv6 addresses without conversion and handles all of the fields from the fixed V5 format. In addition this plugin supports events from a CISCO ASA 5500, including firewall and routing events. Beware, there is significant duplication of typical syslog reporting in the v9 reporting.

Installation

Since Graylog Version 2.4.0 this plugin is already included in the Graylog server installation package as default plugin.

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Setup

In the Graylog web interface, go to System/Inputs and create a new NetFlow input like this:

Example Message

This is an example NetFlow message in Graylog:

Example Dashboard

This is an example of a dashboard with NetFlow data:

Credits

The NetFlow parsing code is based on the https://github.com/wasted/netflow project and has been ported from Scala to Java.

Plugin Development

Testing

To generate some NetFlow data for debugging and testing you can use softflowd.

Example command and output:

# softflowd -D -i eth0 -v 5 -t maxlife=1 -n 10.0.2.2:2055

Using eth0 (idx: 0)
softflowd v0.9.9 starting data collection
Exporting flows to [10.0.2.2]:2055
ADD FLOW seq:1 [10.0.2.2]:48164 <> [10.0.2.15]:22 proto:6
ADD FLOW seq:2 [10.0.2.2]:51428 <> [10.0.2.15]:22 proto:6
Starting expiry scan: mode 0
Queuing flow seq:1 (0x7fef0318bc70) for expiry reason 6
Finished scan 1 flow(s) to be evicted
Sending v5 flow packet len = 120
sent 1 netflow packets
EXPIRED: seq:1 [10.0.2.2]:48164 <> [10.0.2.15]:22 proto:6 octets>:322 packets>:7 octets<:596 packets<:7 start:2015-07-21T13:18:01.236 finish:2015-07-21T13:18:27.718 tcp>:10 tcp<:18 flowlabel>:00000000 flo
wlabel<:00000000  (0x7fef0318bc70)
ADD FLOW seq:3 [10.0.2.2]:2055 <> [10.0.2.15]:48363 proto:17
ADD FLOW seq:4 [10.0.2.2]:48164 <> [10.0.2.15]:22 proto:6

Plugin Release

We are using the Maven release plugin:

$ mvn release:prepare
[...]
$ mvn release:perform

This sets the version numbers, creates a tag and pushes to GitHub. Travis CI will build the release artifacts and upload to GitHub automatically.

graylog-plugin-netflow's People

Contributors

Stargazers

Watchers

Forkers

tieungao88 bhklimk phoefflin pmmivv odgeza o12nolja moadiv ansguocheng d-demirci ekingg sam-dumont jamslim dizhaung akyoz jamallmahmoudi scxin isabella232

graylog-plugin-netflow's Issues

Startup error after upgrade to fe06767

My netflow input does not start after updating to rev fe06767 of the netflow plugin.

2017-07-26 12:23:49,601 ERROR: org.graylog2.shared.inputs.InputLauncher - The [org.graylog.plugins.netflow.inputs.NetFlowUdpInput] input with ID <59707142833ee75bb43c2faa> misfired. Reason: Mandatory configuration field cache_size is missing or has the wrong data type.
org.graylog2.plugin.configuration.ConfigurationException: Mandatory configuration field cache_size is missing or has the wrong data type
         at org.graylog2.plugin.configuration.ConfigurationRequest.check(ConfigurationRequest.java:111) ~[graylog.jar:?]
         at org.graylog2.plugin.inputs.MessageInput.checkConfiguration(MessageInput.java:145) ~[graylog.jar:?]
         at org.graylog2.shared.inputs.InputLauncher$1.run(InputLauncher.java:82) [graylog.jar:?]
         at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
         at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_131]
         at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_131]
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_131]
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_131]
         at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
2017-07-26 12:23:49,630 INFO : org.graylog2.inputs.InputStateListener - Input [NetFlow UDP/59707142833ee75bb43c2faa] is now FAILED

Can we make use of the default settings if the config settings are missing?

Unexpected end-of-input in field name

When I configure Palo Alto to send netflow packets, this error occurs:

2017-08-18T18:20:18.938-03:00 ERROR [NetFlowV9TemplateCache] Couldn't load template cache from disk com.fasterxml.jackson.core.io.JsonEOFException: Unexpected end-of-input in field name at [Source: /tmp/netflow-templates.json; line: 1, column: 16001] at com.fasterxml.jackson.core.base.ParserMinimalBase._reportInvalidEOF(ParserMinimalBase.java:483) ~[graylog.jar:?] at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.parseEscapedName(UTF8StreamJsonParser.java:2020) ~[graylog.jar:?] at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.slowParseName(UTF8StreamJsonParser.java:1921) ~[graylog.jar:?] at com.fasterxml.jackson.core.json.UTF8StreamJsonParser._parseName(UTF8StreamJsonParser.java:1705) ~[graylog.jar:?] at com.fasterxml.jackson.core.json.UTF8StreamJsonParser.nextToken(UTF8StreamJsonParser.java:776) ~[graylog.jar:?] at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:144) ~[graylog.jar:?] at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBind(MapDeserializer.java:458) ~[graylog.jar:?] at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:365) ~[graylog.jar:?] at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:27) ~[graylog.jar:?] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3814) ~[graylog.jar:?] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2775) ~[graylog.jar:?] at org.graylog.plugins.netflow.v9.NetFlowV9TemplateCache.loadCache(NetFlowV9TemplateCache.java:71) [graylog-plugin-netflow-2.3.0-rc.4.jar:?] at org.graylog.plugins.netflow.v9.NetFlowV9TemplateCache.<init>(NetFlowV9TemplateCache.java:62) [graylog-plugin-netflow-2.3.0-rc.4.jar:?] at org.graylog.plugins.netflow.v9.NetFlowV9TemplateCache.<init>(NetFlowV9TemplateCache.java:48) [graylog-plugin-netflow-2.3.0-rc.4.jar:?] at org.graylog.plugins.netflow.codecs.NetFlowCodec.<init>(NetFlowCodec.java:85) [graylog-plugin-netflow-2.3.0-rc.4.jar:?] at org.graylog.plugins.netflow.codecs.NetFlowCodec$$FastClassByGuice$$5770acd4.newInstance(<generated>) [graylog-plugin-netflow-2.3.0-rc.4.jar:?] at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:111) [graylog.jar:?] at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:90) [graylog.jar:?] at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:268) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1019) [graylog.jar:?] at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1085) [graylog.jar:?] at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1015) [graylog.jar:?] at com.google.inject.assistedinject.FactoryProvider2.invoke(FactoryProvider2.java:776) [graylog.jar:?] at com.sun.proxy.$Proxy118.create(Unknown Source) [?:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:132) [graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_144]

Below is the template received

netflow-templates.txt

Dashboard sharing

Hi,

Thanks for this awesome plugin,

Can you share the dashboard present in README.md ?

Thanks a lot.

IP Gelocation not working

Hi,

With the latest Graylog 2 (release) and support for Geolocation, I noticed that with netflow plugin,
nf_src_address and nf_dst_address fields which are IP fields don't resolve to Geolcation.

Is this working for anyone? Is it a misconfiguration on my part?
I do have it properly working with non-netflow data.

PS: I have GeoIP Resolver set as the last message processor to run.

Update

Apologies for jumping the gun, I was checking a window in which all the IPs were LAN IPs,
hence why no Geolocation were available.
This issue should be closed.

Thanks

Support for Sflow

Hi,

Great plugin !
Adding to the list of flow type support requests, let me ask for the great Sflow support for it's openness, feature set and extended scope:

https://en.wikipedia.org/wiki/SFlow
http://www.sflow.org/ (SFlow home)
http://blog.sflow.com/ (SFlow excellent blog)
http://sflow.net/ (SFlow Host home: flow magic for hosts, VMs and services !)

Thanks in advance :-)

Support for IPFIX

It would be awesome if you could add IPFIX support to this plugin. As it is a "open version of NetFlow" i think this is the right place for it.
"NetFlow and IPFIX are flow or messaging technologies that are nearly identical. IPFIX is the official IETF standard and considered by some to be NetFlow v10. IPFIX allows for variable length strings and opens the technology up to allow vendors other than Cisco to export unique details about the traffic passing through their hardware."
source: https://www.ipfixcollector.com/
To get a quick overview what it is:
https://en.wikipedia.org/wiki/IP_Flow_Information_Export
IPFIX compared to NetFlow v9:
https://www.plixer.com/blog/netflow/what-is-ipfix-vs-netflow-v9/
related issue for logstash with further information for implementation stuff:
logstash-plugins/logstash-codec-netflow#10
Eventually helpful ipfix library:
https://github.com/cameronkerrnz/libipfix

Fortinet netflow

Hi,

I configured a fortigate appliance per the instructions provided on this page: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36460. I see the traffic coming to graylog with tcpdump, but nothing displays.

Do you know about a possible non-standard here that would cause a drop of the message, making them invisible in graylog?

Thanks for your feedback.

Test issue - please ignore

Testing the repository webhook

Can't add netflow to input plugins

Hello!
At first wanted to thank for your very helpful application
In new installation can't add plugin netflow.

plugin_dir = /usr/share/graylog-server/plugin

list of dir

[root@graylog plugin]# ls  /usr/share/graylog-server/plugin/
graylog-plugin-anonymous-usage-statistics-2.3.1.jar  graylog-plugin-map-widget-2.3.1.jar
graylog-plugin-beats-2.3.1.jar                       graylog-plugin-netflow-2.4.0-alpha.3.jar
graylog-plugin-collector-2.3.1.jar                   graylog-plugin-pipeline-processor-2.3.1.jar
graylog-plugin-enterprise-integration-2.3.1.jar      telegram-alarm-callback-1.0.0.jar

But after restarting graylog server there is no input Netflow UDP
Graylog version Graylog 2.3.1+9f2c6ef

Can't parse [index] value [not_analyzed] for field [FlowLabel]...

Getting errors on my Elasticsearch log:

java.lang.IllegalArgumentException: Can't parse [index] value [not_analyzed] for field [FlowLabel], expected [true] or [false].
I suppose those are related to netflow plugin?

Plungin v 2.3.0-rc.5
Graylog 2.3.1
Elasticsearch 5.5.2

Cisco ASA netflow import

Hello,

The Cisco ASA netflow doesn't seem to be parsed. I can see messages coming in via tcpdump and also the message counters get increased, but nothing appears in the list of messages when viewing the source/input.
A test using softflowd however produces the desired results.

Can't start - requires version 2.3.0

The plugin can't appear to start - it seems the version requirement test might not allow for this version?

2017-08-05T07:40:00.001Z INFO  [node] [graylog] version[2.4.4], pid[1], build[fcbb46d/2017-01-03T11:33:16Z]
2017-08-05T07:40:01.0010Z ERROR [CmdLineTool] Plugin "NetFlow Plugin" requires version 2.3.0 - not loading!

Support Netflow v9

Please consider adding support for netflow v9

Test issue - please ignore

Testing the repository webhook

IndexOutOfBoundsException when parsing Netflow v9

When parsing Netflow v9 packets generated by nprobe or netgraph, the following exception is thrown:

2017-08-08 12:00:43,624 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Unable to decode raw message RawMessage{id=349f0d10-7c31-11e7-a394-0242ac110004, journalOffset=1296, codec=netflow, payloadSize=1408, timestamp=2017-08-08T12:00:43.617Z, remoteAddress=/192.168.1.3:32087} on input <596cc5f34cedfd0001ba5b18>.
2017-08-08 12:00:43,625 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Error processing message RawMessage{id=349f0d10-7c31-11e7-a394-0242ac110004, journalOffset=1296, codec=netflow, payloadSize=1408, timestamp=2017-08-08T12:00:43.617Z, remoteAddress=/192.168.1.3:32087}
java.lang.IndexOutOfBoundsException: readerIndex(1408) + length(1) exceeds writerIndex(1408): UnpooledHeapByteBuf(ridx: 1408, widx: 1408, cap: 1408/1408)
	at io.netty.buffer.AbstractByteBuf.checkReadableBytes0(AbstractByteBuf.java:1395) ~[graylog.jar:?]
	at io.netty.buffer.AbstractByteBuf.readByte(AbstractByteBuf.java:687) ~[graylog.jar:?]
	at io.netty.buffer.AbstractByteBuf.readUnsignedByte(AbstractByteBuf.java:701) ~[graylog.jar:?]
	at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parseRecords(NetFlowV9Parser.java:257) ~[?:?]
	at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parsePacket(NetFlowV9Parser.java:54) ~[?:?]
	at org.graylog.plugins.netflow.flows.NetFlowParser.parse(NetFlowParser.java:63) ~[?:?]
	at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:107) ~[?:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:144) ~[graylog.jar:?]
	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]

Send Alarm Callback via HTTP alert notification

Hi, we are going to use your plugin in our graylogsoftware to check exactly what the plugin is for and want to send the notifications as HTTP alert notification, that Icinga2 is able to read this. Could you give us some advice, what we have to tell our devolpers that they are able to extend your plugin. Thanks in advance Martin

services name

Hello,
we got graylog 2.0 installed on centos7 and we added the netflow plugin, everything is fine but is it possible to "translate" port numbers as service names ? i found Protocol.java file in sources there is a way to do the same thing for services ? or maybe to parse /etc/services ?

thank you for your reply and sorry if my bad english :)

netflow source gets rewritten

I'm using Graylog 2.4.3+2c41897 (Elastic/Mongo/Graylog cluster + nginx and <HAproxy) with the netflow input. Everything works perfectly but the netflow source gets rewritten with the default gateway of the container where the stack is running.
Any hints?

Thanks

Cisco IOS-XE CGNAT Bulk Port - Netflow v9 -Error processing message RawMessage

Hello,

I am experiencing an error on decoding messages from a Cisco ASR 1k.

Graylog version is Graylog v2.3.1+9f2c6ef, and Netflow Plugin is 2.3.0-rc.5.

Attached is the PCAP file for the messages.

Following is the error message:

2017-10-05T13:19:17.396-03:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=ef8299f0-a9e8-11e7-aa1d-001a4a160183, journalOffset=68844, codec=netflow, payloadSize=102, timestamp=2017-10-05T16:19:17.391Z, remoteAddress=/172.30.30.51:54375} on input <59d5a3075c9eef39fabd64d0>.
2017-10-05T13:19:17.396-03:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=ef8299f0-a9e8-11e7-aa1d-001a4a160183, journalOffset=68844, codec=netflow, payloadSize=102, timestamp=2017-10-05T16:19:17.391Z, remoteAddress=/172.30.30.51:54375}
java.lang.NullPointerException: null
        at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessageString(NetFlowFormatter.java:54) ~[?:?]
        at org.graylog.plugins.netflow.flows.NetFlowFormatter.toMessage(NetFlowFormatter.java:119) ~[?:?]
        at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$2(NetFlowCodec.java:160) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_144]
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_144]
        at java.util.Collections$2.tryAdvance(Collections.java:4717) ~[?:1.8.0_144]
        at java.util.Collections$2.forEachRemaining(Collections.java:4725) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_144]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_144]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_144]
        at org.graylog.plugins.netflow.codecs.NetFlowCodec.lambda$decodeV9$3(NetFlowCodec.java:161) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_144]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_144]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_144]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_144]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_144]
        at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeV9(NetFlowCodec.java:163) ~[?:?]
        at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:134) ~[?:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:144) ~[graylog.jar:?]
        at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_144]

Regards,

Sergio Villela
netflow.zip

Netflow v9 Flows with no template present (yet) should be stored instead of discarded.

Right now we are discarding flows when the associated template is not present (yet), while RFC3954 states that:

   If the Template Records have not been
   received at the time Flow Data Records (or Options Data Records) are
   received, the Collector SHOULD store the Flow Data Records (or
   Options Data Records) and decode them after the Template Records are
   received.  A Collector device MUST NOT assume that the Data FlowSet
   and the associated Template FlowSet (or Options Template FlowSet) are
   exported in the same Export Packet.

Temporary buffering of flows where the template is not present (yet) should be implemented and once the template was received, associated flows should be processed.

Move into graylog2-server

Check if anything is using the fully qualified class names before changing the packages. We might need migrations to fix this.

Examples:

Cluster config
Other MongoDB database objects
Config file settings.

Also move all open issues to the new repo.

graylog netflow message didn't show

I try to do follow this https://github.com/Graylog2/graylog-plugin-netflow it should success BUT when click "Show received message" message didn't show (Throughput / Metrics income)

Graylog version 2.4.5

How to solve this issue?
Thank

v9 template parsing issue

There seems to be a problem with template parsing. The first error shows that there is no template for a packet. The second error, 2 seconds later, shows a template parsing issue.

2017-08-08_13:58:03.28568 2017-08-08 13:58:03,285 ERROR: org.graylog.plugins.netflow.codecs.NetFlowCodec - Error parsing NetFlow packet <b78b2476-7c40-11e7-a3ff-005056b6418d> received from <10.1.10.26:54482>
2017-08-08_13:58:03.28569 org.graylog.plugins.netflow.flows.EmptyTemplateException: Unable to parse NetFlow 9 records without template. Discarding packet.
2017-08-08_13:58:03.28569 	at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parsePacket(NetFlowV9Parser.java:56) ~[graylog-plugin-netflow-2.3.0-rc.4.jar:?]
2017-08-08_13:58:03.28569 	at org.graylog.plugins.netflow.flows.NetFlowParser.parse(NetFlowParser.java:63) ~[graylog-plugin-netflow-2.3.0-rc.4.jar:?]
2017-08-08_13:58:03.28569 	at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:107) [graylog-plugin-netflow-2.3.0-rc.4.jar:?]
2017-08-08_13:58:03.28569 	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:144) [graylog.jar:?]
2017-08-08_13:58:03.28570 	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
2017-08-08_13:58:03.28570 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
2017-08-08_13:58:03.28570 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2017-08-08_13:58:03.28570 	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
2017-08-08_13:58:03.28570 	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2017-08-08_13:58:03.28571 	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

2017-08-08_13:58:05.34156 2017-08-08 13:58:05,341 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Unable to decode raw message RawMessage{id=b81c8f00-7c40-11e7-a3ff-005056b6418d, journalOffset=250337669, codec=netflow, payloadSize=492, timestamp=2017-08-08T13:51:46.672Z, remoteAddress=/10.1.9.2:7560} on input <5980f99075010f0b154d87e9>.
2017-08-08_13:58:05.34220 2017-08-08 13:58:05,341 ERROR: org.graylog2.shared.buffers.processors.DecodingProcessor - Error processing message RawMessage{id=b81c8f00-7c40-11e7-a3ff-005056b6418d, journalOffset=250337669, codec=netflow, payloadSize=492, timestamp=2017-08-08T13:51:46.672Z, remoteAddress=/10.1.9.2:7560}
2017-08-08_13:58:05.34221 java.lang.IndexOutOfBoundsException: readerIndex(492) + length(2) exceeds writerIndex(492): UnpooledHeapByteBuf(ridx: 492, widx: 492, cap: 492/492)
2017-08-08_13:58:05.34222 	at io.netty.buffer.AbstractByteBuf.checkReadableBytes0(AbstractByteBuf.java:1395) ~[graylog.jar:?]
2017-08-08_13:58:05.34223 	at io.netty.buffer.AbstractByteBuf.readShort(AbstractByteBuf.java:706) ~[graylog.jar:?]
2017-08-08_13:58:05.34223 	at io.netty.buffer.AbstractByteBuf.readUnsignedShort(AbstractByteBuf.java:722) ~[graylog.jar:?]
2017-08-08_13:58:05.34224 	at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parseTemplates(NetFlowV9Parser.java:122) ~[?:?]
2017-08-08_13:58:05.34224 	at org.graylog.plugins.netflow.v9.NetFlowV9Parser.parsePacket(NetFlowV9Parser.java:45) ~[?:?]
2017-08-08_13:58:05.34224 	at org.graylog.plugins.netflow.flows.NetFlowParser.parse(NetFlowParser.java:63) ~[?:?]
2017-08-08_13:58:05.34224 	at org.graylog.plugins.netflow.codecs.NetFlowCodec.decodeMessages(NetFlowCodec.java:107) ~[?:?]
2017-08-08_13:58:05.34224 	at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:144) ~[graylog.jar:?]
2017-08-08_13:58:05.34225 	at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:87) [graylog.jar:?]
2017-08-08_13:58:05.34225 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:74) [graylog.jar:?]
2017-08-08_13:58:05.34225 	at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
2017-08-08_13:58:05.34225 	at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
2017-08-08_13:58:05.34225 	at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
2017-08-08_13:58:05.34225 	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Support jFlow

It would be wonderfull if jFlow would also be supported: http://www.juniper.net/us/en/local/pdf/app-notes/3500204-en.pdf

There are a lof of Juniper devices around the world and network admins would definitely benefit from this.