Filebeat Firewall requirements

Hi, community.

I have:

  • 1 host with application which writes logs in the file and filebeat reads it and send to logstash
  • logstash cluster of 3 nodes

Firewall rules are opened only as follows:
filebeat (port number 5403) -> (5403) logstash

When I start filebeat it tells me:
2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47021->logstash_host:5403: read: connection reset by peer 2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47022->logstash_host:5403: read: connection reset by peer

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...
Why it is not 5403?
I can configure my Firewall rules only for port 5403.

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...

That's the randomly picked local port used by Filebeat. A TCP connection is defined by two (IP, port) endpoints, in your case e.g. (filebeat, 47022) and (logstash_host, 5403). While it's technically possible to pick a particular local port when opening a connection it's quite unusual and Filebeat doesn't support it.

Filebeat is able to make the connection to Logstash (or whatever is listening), so that's good. What's your Logstash configuration?

So what is the solution for Production systems?
Should I open all the ports starting with number 1024 on Production?

Firewalls are typically configured to allow any source port (the Filebeat end in this case) because, as I said, source ports are randomly picked from the full range of port numbers. Firewall restrictions are instead placed on the destination port (5403 in your case).

Could you please advise which range exactly you mentioned? In numbers I mean.

1 Like

For those who faced the same issue.
I've got official response from Elastic support as follows:

Source port selection is a function of the underlying operating system, and generally an application has no control over this. See here for details.
For example, Linux systems will choose a random source port between 32768 - 61000.

It was advised to use Stateful Firewall.