Custom UDP logs are only listening on ipv6

I set up some custom UDP port integrations. I noticed that a lot of logs were not coming in, so I did netstat on the host. It turns out that it is only listening on ipv6. How can I set it to listen on both or only ipv4?

Hi @phirestalker Welcome to the community!

You are going to need to provide your integration configuration settings if you would like help.

Thanks I wasn't sure what to post. Also, I am using version 8.11.3 of the stack, and I am setting up Fleet managed elastic-agents. I figured the easiest way to show integration configuration for the custom UDP logs was to copy the API call. I have pasted below.

PUT kbn:/api/fleet/package_policies/0f0c6b07-43a7-4d3f-b088-e13ca785b891
{
  "package": {
    "name": "udp",
    "version": "1.17.0"
  },
  "name": "udp-5141",
  "namespace": "default",
  "description": "Syslog from WAX610 wireless AP",
  "policy_id": "60ae7570-ac19-11ee-9483-459dcdc18bc9",
  "vars": {},
  "inputs": {
    "udp-udp": {
      "enabled": true,
      "streams": {
        "udp.generic": {
          "enabled": true,
          "vars": {
            "listen_address": "0.0.0.0",
            "listen_port": "5141",
            "data_stream.dataset": "udp.wax510",
            "max_message_size": "10KiB",
            "keep_null": false,
            "tags": [
              "wap, wireless, netgear"
            ],
            "syslog": true,
            "syslog_options": "field: message\n#format: auto\n#timezone: Local\n",
            "custom": ""
          }
        }
      }
    }
  }
}

Oh, and the agent is on Ubuntu 22.04

Can you share as well any evidence that it is only listening on ipv6? For example, share the result of your netstat on port 5141.

sudo netstat -anp | grep 5141
udp6       0      0 :::5141                 :::*                                97402/filebeat      
unix  3      [ ]         STREAM     CONNECTED     45851414 2654/dockerd         /run/docker.sock

Yeah, it is weird, if you are specifying the bind address as 0.0.0.0 I see no reason for it to even bind on ipv6.

It looks like something on the OS is defaulting to bind to ipv6, I had similar issues with Logstash and Elastcisearch in the past, but those are java applications so you can force them to use ipv4.

Not sure how to do this on a Go application like beats, maybe someone from Elastic has more context.

I think that you could also open an issue on github to get more attention on this, because the bind address is being ignored and it shouldn't be ignored.

1 Like

I guess I will have to. I just disabled ipv6 on my machine by adding a custom config file under /etc/sysctl.d with the following contents:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

I rebooted, and it is still opening an ipv6 UDP port.

I took the nuclear option and just disabled ipv6 in my grub configuration. Now it is using ipv4 ports as it should.

1 Like

It should be related to Linux settings. Check the link.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.