1 host with application which writes logs in the file and filebeat reads it and send to logstash
logstash cluster of 3 nodes
Firewall rules are opened only as follows:
filebeat (port number 5403) -> (5403) logstash
When I start filebeat it tells me: 2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47021->logstash_host:5403: read: connection reset by peer 2016-01-02T06:59:18-05:00 DBG Try to publish %!s(int=1024) events to logstash with window size %!s(int=10) 2016-01-02T06:59:18-05:00 DBG %!s(int=0) events out of %!s(int=1024) events sent to logstash. Continue sending ... 2016-01-02T06:59:18-05:00 INFO Error publishing events (retrying): read tcp filebeat:47022->logstash_host:5403: read: connection reset by peer
So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...
Why it is not 5403?
I can configure my Firewall rules only for port 5403.
So the question is why filebeat sends each 1024 events using another port number?
In my example they are 47021, 47022...
That's the randomly picked local port used by Filebeat. A TCP connection is defined by two (IP, port) endpoints, in your case e.g. (filebeat, 47022) and (logstash_host, 5403). While it's technically possible to pick a particular local port when opening a connection it's quite unusual and Filebeat doesn't support it.
Filebeat is able to make the connection to Logstash (or whatever is listening), so that's good. What's your Logstash configuration?
Firewalls are typically configured to allow any source port (the Filebeat end in this case) because, as I said, source ports are randomly picked from the full range of port numbers. Firewall restrictions are instead placed on the destination port (5403 in your case).
For those who faced the same issue.
I've got official response from Elastic support as follows:
Source port selection is a function of the underlying operating system, and generally an application has no control over this. See here for details.
For example, Linux systems will choose a random source port between 32768 - 61000.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.