Custom UDP logs are only listening on ipv6

phirestalker · January 6, 2024, 12:12am

I set up some custom UDP port integrations. I noticed that a lot of logs were not coming in, so I did netstat on the host. It turns out that it is only listening on ipv6. How can I set it to listen on both or only ipv4?

stephenb · January 6, 2024, 12:44am

Hi @phirestalker Welcome to the community!

You are going to need to provide your integration configuration settings if you would like help.

phirestalker · January 6, 2024, 12:37pm

Thanks I wasn't sure what to post. Also, I am using version 8.11.3 of the stack, and I am setting up Fleet managed elastic-agents. I figured the easiest way to show integration configuration for the custom UDP logs was to copy the API call. I have pasted below.

PUT kbn:/api/fleet/package_policies/0f0c6b07-43a7-4d3f-b088-e13ca785b891
{
  "package": {
    "name": "udp",
    "version": "1.17.0"
  },
  "name": "udp-5141",
  "namespace": "default",
  "description": "Syslog from WAX610 wireless AP",
  "policy_id": "60ae7570-ac19-11ee-9483-459dcdc18bc9",
  "vars": {},
  "inputs": {
    "udp-udp": {
      "enabled": true,
      "streams": {
        "udp.generic": {
          "enabled": true,
          "vars": {
            "listen_address": "0.0.0.0",
            "listen_port": "5141",
            "data_stream.dataset": "udp.wax510",
            "max_message_size": "10KiB",
            "keep_null": false,
            "tags": [
              "wap, wireless, netgear"
            ],
            "syslog": true,
            "syslog_options": "field: message\n#format: auto\n#timezone: Local\n",
            "custom": ""
          }
        }
      }
    }
  }
}

Oh, and the agent is on Ubuntu 22.04

leandrojmp · January 6, 2024, 12:40pm

Can you share as well any evidence that it is only listening on ipv6? For example, share the result of your netstat on port 5141.

phirestalker · January 6, 2024, 12:42pm

sudo netstat -anp | grep 5141
udp6       0      0 :::5141                 :::*                                97402/filebeat      
unix  3      [ ]         STREAM     CONNECTED     45851414 2654/dockerd         /run/docker.sock

leandrojmp · January 6, 2024, 1:00pm

Yeah, it is weird, if you are specifying the bind address as 0.0.0.0 I see no reason for it to even bind on ipv6.

It looks like something on the OS is defaulting to bind to ipv6, I had similar issues with Logstash and Elastcisearch in the past, but those are java applications so you can force them to use ipv4.

Not sure how to do this on a Go application like beats, maybe someone from Elastic has more context.

I think that you could also open an issue on github to get more attention on this, because the bind address is being ignored and it shouldn't be ignored.

phirestalker · January 6, 2024, 1:15pm

I guess I will have to. I just disabled ipv6 on my machine by adding a custom config file under /etc/sysctl.d with the following contents:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

I rebooted, and it is still opening an ipv6 UDP port.

I took the nuclear option and just disabled ipv6 in my grub configuration. Now it is using ipv4 ports as it should.

Rios · January 7, 2024, 7:06am

It should be related to Linux settings. Check the link.

system · February 4, 2024, 7:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.