Logstash Netflow Codec definition for Netflow v9 nsel for Cisco ASA 5500 series.

netflow_nsel_reorder.yaml

---
148:
- 4
- :nf_f_conn_id
8:
- 4
- :nf_f_src_addr_ipv4
7:
- 2
- :nf_f_src_port
10:
- 1
- :nf_f_src_intf_id
12:
- 4
- :nf_f_dst_addr_ipv4
11:
- 2
- :nf_f_dst_port
14:
- 2
- :nf_f_dst_intf_id
4:
- 1
- :nf_f_protocol
176:
- 1
- :nf_f_icmp_type
177:
- 1
- :nf_f_icmp_code
40001:
- 4
- :nf_f_xlate_src_addr_ipv4
40002:
- 4
- :nf_f_xlate_dst_addr_ipv4
40003:
- 2
- :nf_f_xlate_src_port
40004:
- 2
- :nf_f_xlate_dst_port
40005:
- 1
- :nf_f_fw_event
33002:
- 2
- :nf_f_fw_ext_event
323:
- 8
- :nf_f_event_time_msec
85:
- 4
- :nf_f_flow_bytes
33000:
- 12
- :nf_f_ingress_acl_id
33001:
- 12
- :nf_f_egress_acl_id
40000:
- 20
- :nf_f_username

This is great, exactly what I've been looking for. My only question is, how do I install this custom codec?

@negeric - looks like you can override the default netflow field descriptions by pointing to this file in the logstash conf using the "definitions" field. See http://logstash.net/docs/1.4.2/codecs/netflow. It looks like hatant39 pulled the spec data from the Cisco docs at http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

I still get "No matching template" errors when using this definition file with my Cisco ASA.

{:timestamp=>"2015-12-03T10:37:13.061000+0800", :message=>"No matching template for flow id 256", :level=>:warn}
{:timestamp=>"2015-12-03T10:37:13.817000+0800", :message=>"No matching template for flow id 256", :level=>:warn}
{:timestamp=>"2015-12-03T10:37:14.811000+0800", :message=>"No matching template for flow id 263", :level=>:warn}