Logging nonstandard fields #279
Comments
|
Hi @normelton,
Yes. Once GoFlow2 has the template, it will map the IPFIX data fields it into a protobuf field Have you seen the example mapping.yaml? Try with the following config and pass it to the goflow2 CLI using formatter:
fields:
- type
- time_received_ns
- postnat
protobuf:
- name: postnat
index: 999
type: bytes
render:
postnat: ip
ipfix:
mapping:
- field: 225
destination: postnat |
|
Yep I've been working through the mapping.yaml syntax. Using your sample, I get:
If I remove the 'render' section, I do get output that shows the three fields, with the postnat IP address in hex. That's progress! |
|
Are you using the latest version of GoFlow2 v2.1.1? |
|
Ahh, I had a YAML-typo, converting to a map element fixed that. No more error, but the field is still displaying as hex. Yes, version 2.1.1. I double confirmed that my Just to be sure, here's my mapping.yaml file: formatter:
fields:
- type
- nat_event
- time_received_ns
- bytes
- packets
- src_addr
- dst_addr
- src_port
- dst_port
- postnat
protobuf:
- name: postnat
index: 999
type: bytes
- name: nat_event
index: 998
type: varint
render:
postnat: ip
ipfix:
mapping:
- field: 225
destination: postnat
- field: 230
destination: nat_event |
|
I'll try to reproduce. Just in case, would you be able to provide a pcap (just need 1 template and 1 data packet). |
|
Sure thing, attached. |
|
Was able to reproduce. |
|
Brilliant, that worked. This is enough for our proof-of-concept, we'll watch for the fix in an upcoming release. Thanks so much! |
This just a newbie question ...
Our IPFIX exporter is sending fields that are not included in the default output, such as postNATSourceIPv4Address (id 225). I think I understand the concept of mapping one field into another, but is there a recipe for adding this field to the regular output? Do I need to wait for the goflow2 to receive a template from the exporter to recognize the packet format?
Thanks!
The text was updated successfully, but these errors were encountered: