Filebeat filtering incoming syslogs?

Elastic Stack Elasticsearch
1

I'm setting up Filebeat (8.9) on an Elasticsearch (8.9) instance, and it looks like Filebeat is filtering logs from external hosts.

Here's the relevant section from my Filebeat config:

- type: syslog
  format: auto
  protocol.udp:
    host: "0.0.0.0:9002"

It appears the port is open: sudo netstat -nulp shows this:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 127.0.0.53:53           0.0.0.0:*                           1216/systemd-resolv
udp6       0      0 :::9002                 :::*                                1687881/filebeat

Curiously, however, ss doesn't show the port being open: sudo ss -ltn shows:

State                Recv-Q                Send-Q                                    Local Address:Port                                Peer Address:Port               Process
LISTEN               0                     4096                                      127.0.0.53%lo:53                                       0.0.0.0:*
LISTEN               0                     128                                             0.0.0.0:22                                       0.0.0.0:*
LISTEN               0                     100                                             0.0.0.0:25                                       0.0.0.0:*
LISTEN               0                     511                                             0.0.0.0:5601                                     0.0.0.0:*
LISTEN               0                     4096                                                  *:9200                                           *:*
LISTEN               0                     4096                                                  *:27761                                          *:*
LISTEN               0                     4096                                                  *:27762                                          *:*
LISTEN               0                     4096                                                  *:27763                                          *:*
LISTEN               0                     4096                                 [::ffff:127.0.0.1]:9300                                           *:*
LISTEN               0                     4096                                              [::1]:9300                                        [::]:*
LISTEN               0                     4096                                                  *:27764                                          *:*
LISTEN               0                     4096                                                  *:27765                                          *:*
LISTEN               0                     4096                                                  *:27766                                          *:*
LISTEN               0                     128                                                [::]:22                                          [::]:*
LISTEN               0                     4096                                                  *:27767                                          *:*
LISTEN               0                     4096                                                  *:27768                                          *:*
LISTEN               0                     100                                                [::]:25                                          [::]:*

I can send a message to myself: echo "test" | nc -w1 -u 127.0.0.1 9002

When I do this, I can see the log showing up in filebeat -e -d "*" and in the Discover GUI.

However, when I send real traffic from another host, nothing shows up. I can see that the packet is being received:

sudo tcpdump -n 'udp port 9002'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eno2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:37:14.925978 IP [external host IP].52936 > [filebeat server IP].9002: UDP, length 102

What am I missing?

2

One thing to add: When I scan the host with nmap, the port I'm using (9002 UDP) is shown as open|filtered

3

It looks like you have to check firewall rule for UDP 9002.

4

There's no network firewall between the two hosts, and since I can see the incoming test traffic with tcpdump, that leaves a host firewall. I'm using Ubuntu, which ships with ufw. - it shows:

Status: active

To                         Action      From
--                         ------      ----
9002                       ALLOW       Anywhere
5601                       ALLOW       Anywhere
22                         ALLOW       Anywhere
9200                       ALLOW       Anywhere
9002 (v6)                  ALLOW       Anywhere (v6)
5601 (v6)                  ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
9200 (v6)                  ALLOW       Anywhere (v6)

Which seems to indicate that 9002 UDP is open.

5

Also, iptables also shows 9002 UDP is open:

 sudo iptables -L -v -n | more | grep 9002
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9002
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9002
6

I'm sorry to report that this works now. I am sorry because I don't have any lessons to help anyone reading this in the future! Thank you @Rios for your help!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.