Filebeat Firewall requirements


(Mikhail) #1

Hi, community.

I have:

  • 1 host with application which writes logs in the file and filebeat reads it and send to logstash
  • logstash cluster of 3 nodes

Firewall rules are opened only as follows:
filebeat (port number 5403) -> (5403) logstash

When I start filebeat it tells me:
2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47021->logstash_host:5403: read: connection reset by peer 2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47022->logstash_host:5403: read: connection reset by peer

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...
Why it is not 5403?
I can configure my Firewall rules only for port 5403.


(Magnus Bäck) #2

So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...

That's the randomly picked local port used by Filebeat. A TCP connection is defined by two (IP, port) endpoints, in your case e.g. (filebeat, 47022) and (logstash_host, 5403). While it's technically possible to pick a particular local port when opening a connection it's quite unusual and Filebeat doesn't support it.

Filebeat is able to make the connection to Logstash (or whatever is listening), so that's good. What's your Logstash configuration?


(Mikhail) #3

So what is the solution for Production systems?
Should I open all the ports starting with number 1024 on Production?


(Magnus Bäck) #4

Firewalls are typically configured to allow any source port (the Filebeat end in this case) because, as I said, source ports are randomly picked from the full range of port numbers. Firewall restrictions are instead placed on the destination port (5403 in your case).


(Mikhail) #5

Could you please advise which range exactly you mentioned? In numbers I mean.


(Magnus Bäck) #6

(Mikhail) #7

For those who faced the same issue.
I've got official response from Elastic support as follows:

Source port selection is a function of the underlying operating system, and generally an application has no control over this. See here for details.
For example, Linux systems will choose a random source port between 32768 - 61000.

It was advised to use Stateful Firewall.


(system) #8