CirrusIPFIX Elements
Hello Everyone,
I have created an iRule to query HTTP hostname, URI, and respose code and ship them along with other info to Elsatic collectors through ipfix log publisher.
but we came to an issue that the collectors were not able to decode the template with an error msg "unsupported field in template"
I have been using the standard ipfix elements built into big-ip system in my iRule.
below is a snippet of the iRule and the used ipfix elements:
if { $static::http_rule1_tmplt == ""} {
# if the template has not been created yet, create the template
set static::http_rule1_tmplt [IPFIX::template create "flowStartMilliseconds \
sourceIPv4Address \
tcpSourcePort \
destinationIPv4Address \
tcpDestinationPort \
postNATDestinationIPv4Address \
postNAPTDestinationTransportPort \
httpHostname \
httpUrl \
httpResponseCode \
flowEndMilliseconds \ "]
}
When trying to analyze the traffic through wireshark, we noticed the HTTP elements are showing as [pen: F5 Networks Inc]; i wonder if this has to do with the collectors not able to decode the template?
Thank you!
Hello Reader,
Thankfully, we found the answer!
So, basically, some elements such as the http ones i'm using in my above iRule, which are built into BIG-IP system, are defined by IANA under F5's Private Enterprise Number (PEN) 12276. Hence, the [pen: F5 Networks Inc] appeared in wireshark in replacement of the acctual field name unlike the other standard fields.
Solution
In my case, using Logstash and the netflow codec, for any non standard element (not under PEN 0), we must override the YAML file containing IPFIX field definitions (id, data type, and enetrprits id) for the flow to get decoded and to avoid thrown errors as "unsupported field in template".
Please feel free to update the post should you have any queries.
Regards,
Sarah.
