Hi,
After upgrading to version 2.2.3, the customer has a concern that the /var/log/message file is being flooded with the following messages:
Nov 23 09:50:59 host001 nfcapd[17532]: Process_v9: flowset zero length error.
Nov 23 09:50:59 host001 nfcapd[17532]: Process_v9: flowset zero length error.
Nov 23 09:50:59 host001 nfcapd[17532]: Process_v9: flowset length error. Expected bytes: 60983 > buffersize: 1
Nov 23 09:50:59 host001 nfcapd[17524]: Process_v9: flowset zero length error.
There is approximately 1200 of these messages per minute.
[root@host001 log]# cat /var/log/messages | grep 'Nov 23 09:50' | wc -l
1281
The server appears to be collecting netflow data without issue.
1. How do we eliminate these errors in the log file?
2. Can we write nfcapd related messages to a different log file, as the /var/log/messages file is also used to log other important system information.
Regards
Zee
Log issues after upgrade to 2.2.3
Re: Log issues after upgrade to 2.2.3
What make / model is the source?
As a quick test, on the source side - configure it to use netflow version 5 instead of version 9 and wait at least five minutes. Do you still see these errors on NNA then?
Apart from that test, I d have to say the source is sending an invalid data flowset or template flowset.
Based on those error messages, I would check that the the data FlowSet Length field is correct. Refer to table 7 here:
http://www.cisco.com/en/US/technologies ... a3db9.html
Also, template records have a limited lifetime so they must be periodically refreshed. This responsibility falls on the sender (source device) as I understand it.
Lastly, I don't think the update to 2.2.3 would have anything to do with this: nfcapd was not changed at all in 2.2.3, we have not received any other reports about this behaviour. 2.2.3 was released 08/15/2016.
Then again, what version did you upgrade from? For your reference here is the changelog;
https://assets.nagios.com/downloads/nag ... 1456514247
As a quick test, on the source side - configure it to use netflow version 5 instead of version 9 and wait at least five minutes. Do you still see these errors on NNA then?
Apart from that test, I d have to say the source is sending an invalid data flowset or template flowset.
Based on those error messages, I would check that the the data FlowSet Length field is correct. Refer to table 7 here:
http://www.cisco.com/en/US/technologies ... a3db9.html
Also, template records have a limited lifetime so they must be periodically refreshed. This responsibility falls on the sender (source device) as I understand it.
Lastly, I don't think the update to 2.2.3 would have anything to do with this: nfcapd was not changed at all in 2.2.3, we have not received any other reports about this behaviour. 2.2.3 was released 08/15/2016.
Then again, what version did you upgrade from? For your reference here is the changelog;
https://assets.nagios.com/downloads/nag ... 1456514247
Be sure to check out the Knowledgebase for helpful articles and solutions!
Re: Log issues after upgrade to 2.2.3
Hi ,
The customer was running v2.0.0 prior to the upgrade and we didn't see the same issue, however I was instructed to re-compile a newer release of nfdump on the old NNA version to resolve a different problem. The nfcpad messages are only occurring for Cisco 3650 and Cisco 3850 sources. I suspect this issue is related to an nfcapd extension that has not been enabled.
I have logged a support ticket, but still waiting on a response.
Regards
Zee
The customer was running v2.0.0 prior to the upgrade and we didn't see the same issue, however I was instructed to re-compile a newer release of nfdump on the old NNA version to resolve a different problem. The nfcpad messages are only occurring for Cisco 3650 and Cisco 3850 sources. I suspect this issue is related to an nfcapd extension that has not been enabled.
I have logged a support ticket, but still waiting on a response.
Regards
Zee
Re: Log issues after upgrade to 2.2.3
Thanks for that update, Zee. Definitely let us know what comes about from the ticket you've opened - we'll leave this thread open in the meantime.
Be sure to check out the Knowledgebase for helpful articles and solutions!