Filebeat Firewall requirements

bibikmik · January 5, 2016, 12:09pm

Hi, community.

I have:

1 host with application which writes logs in the file and filebeat reads it and send to logstash
logstash cluster of 3 nodes

Firewall rules are opened only as follows:
filebeat (port number 5403) -> (5403) logstash

When I start filebeat it tells me:
2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47021->logstash_host:5403: read: connection reset by peer 2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47022->logstash_host:5403: read: connection reset by peer

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...
Why it is not 5403?
I can configure my Firewall rules only for port 5403.

magnusbaeck · January 5, 2016, 1:54pm

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...

That's the randomly picked local port used by Filebeat. A TCP connection is defined by two (IP, port) endpoints, in your case e.g. (filebeat, 47022) and (logstash_host, 5403). While it's technically possible to pick a particular local port when opening a connection it's quite unusual and Filebeat doesn't support it.

Filebeat is able to make the connection to Logstash (or whatever is listening), so that's good. What's your Logstash configuration?

bibikmik · January 5, 2016, 1:59pm

So what is the solution for Production systems?
Should I open all the ports starting with number 1024 on Production?

magnusbaeck · January 5, 2016, 2:04pm

Firewalls are typically configured to allow any source port (the Filebeat end in this case) because, as I said, source ports are randomly picked from the full range of port numbers. Firewall restrictions are instead placed on the destination port (5403 in your case).

bibikmik · January 5, 2016, 2:27pm

Could you please advise which range exactly you mentioned? In numbers I mean.

magnusbaeck · January 5, 2016, 2:31pm

bibikmik · January 11, 2016, 12:45pm

For those who faced the same issue.
I've got official response from Elastic support as follows:

Source port selection is a function of the underlying operating system, and generally an application has no control over this. See here for details.
For example, Linux systems will choose a random source port between 32768 - 61000.

It was advised to use Stateful Firewall.

Topic		Replies	Views
Filebeat stopped working Beats filebeat	6	4228	July 5, 2017
DBG Try to publish 2048 events to logstash with window size 1024 Beats filebeat	2	1217	May 19, 2017
[Solved] Filebeat -> Logstash : connection reset by peer Beats filebeat	5	42195	June 29, 2017
Which Ports for Logstash and FileBeat Logstash	2	352	April 3, 2018
Filebeat 5.6.16 modifies logstash URL:PORT in runtime Beats filebeat	2	445	May 24, 2019

Filebeat Firewall requirements

Related topics