About MarinaM

MarinaM · ‎06-14-2026

**Environment** - Cloudera CFM 2.1.7 / Apache NiFi 1.26.0 - Cloudera CDP 7.3.1 - Flow source: Cisco ASA Firewall (IPFIX export) **Issue** The `ListenNetFlow` processor successfully decodes standard IPFIX/NetFlow v9 fields but produces a WARN for every packet that contains Cisco ASA enterprise fields: ``` WARN com.cloudera.nifi.netflow.ListenNetFlow: Sender [/x.x.x.x] Field Type [33002] Length [2] Field Decoder not found WARN com.cloudera.nifi.netflow.ListenNetFlow: Sender [/x.x.x.x] Field Type [33001] Length [12] Field Decoder not found WARN com.cloudera.nifi.netflow.ListenNetFlow: Sender [/x.x.x.x] Field Type [33000] Length [12] Field Decoder not found WARN com.cloudera.nifi.netflow.ListenNetFlow: Sender [/x.x.x.x] Field Type [40000] Length [12] Field Decoder not found ``` At production NetFlow volume, this generates thousands of WARN lines per second, making `nifi-app.log` effectively unusable for monitoring other issues. More critically, the data in these fields is silently dropped: | Field ID | Cisco Name | Description | |---|---|---| | 33000 | INGRESS_ACL_ID | ACL that matched the flow on ingress | | 33001 | EGRESS_ACL_ID | ACL that matched the flow on egress | | 33002 | FW_EVENT | Firewall event type (allow / deny / teardown) | These are Cisco Private Enterprise Number (PEN 9) fields. They are documented in Cisco's IPFIX implementation guide and are present in every flow exported by Cisco ASA firewalls. For security operations use cases, `FW_EVENT` (33002) in particular is essential — it identifies whether a connection was permitted or denied. **Expected behavior** `ListenNetFlow` should support registering enterprise IPFIX field decoders via configuration (PEN + field ID mapping), so operators can define custom fields without modifying processor source code. As a baseline, well-known Cisco PEN 9 fields (33000, 33001, 33002) should be included in the default field registry. Unknown enterprise fields should be logged at DEBUG, not WARN, since encountering undefined vendor fields is expected behavior in production IPFIX environments. **Impact** - Log files roll too fast to monitor other issues - ACL and firewall event data is lost from every flow record - Security teams lose visibility into deny/allow decisions at the firewall level Happy to provide packet captures or field mapping documentation if useful.

MarinaM · ‎03-26-2025

@MattWho appriciate your response

MarinaM · ‎03-26-2025

Dear Matt, Thank you for your response; it was incredibly helpful. Based on your feedback and the link you shared, I have revised my design. Below are the key points regarding my implementation: All my data follows the same schema. Before merging, I convert the data to a JSON format to ensure consistency. There are no failures occurring during the merge process. The merge operation successfully produces a merged file. However, I am still receiving the original output, which I need to eliminate. Following the documentation, I have adjusted my design to include multiple consecutive merge steps, as illustrated in the attached diagram. Given the large volume of flow data, I have allocated high system specifications to optimise performance. Additionally, my heap size is currently set to 42 GB. Would increasing it further be beneficial? To mitigate swap-related issues, I have adjusted the swap space to 300,000 (from 20,000) since I previously experienced rapid memory fill-up. Could you advise on any potential side effects of this change? Looking forward to your insights.

MarinaM · ‎03-24-2025

Hello everyone, I have developed an Apache NiFi flow that ingests streaming data, converts it to JSON, merges the records, and then stores them in HDFS. However, I have observed a couple of issues: File Structure: After the merge operation, many files retain their original structure rather than being merged as expected. Performance: Increasing the number of pins along with the minimum and maximum record counts and bin sizes causes the merge process to become significantly slower. Conversely, reducing these parameters results in files that mostly maintain their original structure. Could anyone provide insights or recommendations on how to resolve these issues? Thank you. My crrunt cnfigration that cause the flow to go the orginal current comigration where it causes go to original The flow the flow The congigration that never showsnmerged records. with this cofigration will take forever to merge I didn't see any output

MarinaM · ‎03-12-2025

Hi @haridjh, The server is supposed to stream all the NetFlow data to NiFi. However, why does the time delay between sending the NetFlow and receiving it in NiFi matter?

MarinaM · ‎03-09-2025

Hello, We are forwarding NetFlow v9 data from a core switch and VPN to NiFi. In NiFi, we are using the NetFlow Listener processor to listen to the NetFlow traffic. However, the processor is unable to process the data, and the only information we could find in the logs after enabling debug logging is the following: 2025-03-06 16:25:29,502 WARN com.cloudera.nifi.netflow.ListenNetFlow: ListenNetFlow[id=861330c9-6ffc-1e81-9978-be1bba4f3524] Sender [/0.0.0.0:00000] Cached Template ID [259] not found 2025-03-06 16:25:29,502 DEBUG com.cloudera.nifi.netflow.ListenNetFlow: ListenNetFlow[id=861330c9-6ffc-1e81-9978-be1bba4f3524] Sender [//0.0.0.0:00000] Version [9] FlowSet ID [259] Length [604] Is there anyone faced such issue and help us to identify the cause of this issue and suggest possible solutions? Thank you for your help.

MarinaM · ‎03-08-2025

Hello eveyone we’re experiencing with consuming Kafka from a third-party (Qradar) system outside of CDP. In their configuration, the only SASL mechanisms available for configuration are: PLAIN SCRAM-SHA-256 SCRAM-SHA-512 However, all of these mechanisms are resulting in authentication errors. how we can connect Qradar to kafa to be able to consume the data from kafka Thanks in advance

MarinaM · ‎02-15-2025

Hello, I need your guidance on the following scenario: We have a SIEM (QRadar) infrastructure where Event Collectors receive logs from various data sources. These logs are correlated based on SIEM rules and use cases. we plan to send logs to the SIEM while also storing a copy in a Data Lake. Current Approach: We have structured the workflow as follows: DATA SOURCES → NiFi → Store in DATA LAKE & Forward to SIEM (using PUTTCP processor) Questions: Does NiFi allow segregation of data sources? Handling LEEF logs: logs reach NiFi with the original source IP but leave NiFi with NiFi’s source IP. Since QRadar first looks for the hostname in the payload (and if absent, uses the source IP), this could cause misidentification. Can NiFi be configured to retain the original source IP while forwarding logs, without modifying the original log (to comply with legal requirements)? Log Integrity & Authenticity: Does NiFi ensure log integrity and authenticity for legal and compliance purposes? LEEF Parsing: Is there a NiFi processor available to parse LEEF logs before storing them in HDFS? thanks in advance

Online	Offline
Last Visited	‎06-14-2026 10:20 PM

Member Since	‎06-13-2024 03:06 AM
Last Visited	‎06-14-2026 10:20 PM
Posts	9

Cloudera Community

ListenNetFlow processor does not decode Cisco ASA ...

Re: Apache NiFi Flow: Merging Performance

Re: Apache NiFi Flow: Merging Performance

Apache NiFi Flow: Merging Performance

Re: Issue with NetFlow v9 Processing in NiFi

Issue with NetFlow v9 Processing in NiFi

Kafka Authentication Issues with third party

Assistance Needed: Log Routing and Processing wit...