All Apps and Add-ons

Splunk Stream: Is there a workaround for this error "Decoding sFlow version 589829 is not supported yet"?

Explorer

I am trying to get Splunk Stream working with Flows from an ASA v9.6(2). I finally have it mostly working but now I'm seeing the error:

ERROR [140349472376576] (NetflowManager/sflowDecoder.cpp:34) stream.NetflowReceiver - sFlowDecoder::generateEvents Decoding sFlow version 589829 is not supported yet.

I assume that this means that my version isn't supported. Doesn't anybody know if there is a workaround for this? If not, is there a different app that might work?

Splunk Employee
Splunk Employee

@mmacdonald70,

589829 doesn't look like a valid sFlow version (AFAIK only sFlow v5 exists as of now), so I'd guess the problem is in the data format. Are you by any chance sending some decoded/formatted sFlow? For example, some devices support formatting sFlow records as JSON, etc. Stream expects the "native" binary sFlow protocol.

Also, ASA is a Cisco device, and being such I'd expect it to generate netflow, not sFlow (they're binary different). You may want to change your Stream configuration to receive netflow (ie netflowReceiver.0.decoder = netflow)

Explorer

Looks like you are right, it looks like this isn't sflow at all. After capturing the traffic, opening it in wireshark and decoding it as Netflow, it loaded. And told me it was Cisco NetFlow/IPFIX version 9. Unfortunately now, when I change the input to Netflow, I'm getting these errors:

2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:39 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 260
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 260 from source 0 . Dropping flow data set of size 68
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 776
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:42 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 88
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 604
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 256 from source 0 . Dropping flow data set of size 100
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 263 from source 0 . Dropping flow data set of size 172
2017-01-19 15:46:45 ERROR [140342200358656] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template definition received with id 261 from source 0 . Dropping flow data set of size 56
0 Karma

Splunk Employee
Splunk Employee

It may be a transient startup condition. Netflow v9 uses templates that tell the receiver how to interpret each particular data record. The generating device sends these templates every so often, so once Stream receives it should be able to parse the data and these errors should stop. You may tune up the template broadcasting frequency on the ASA (assuming it's configurable)

0 Karma

Contributor

Yes, ASA template timeout is configurable, and defaults to 30 minutes. It could be changed with the following command:

flow-export template timeout-rate "minutes"

0 Karma

Splunk Employee
Splunk Employee

I just checked the ASA docs and seems like it sends (exports) netflow templates every 30 minutes by default.

You may want to change it to a shorter value with this command:

flow-export template timeout-rate <minutes>

http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!