Filebeat + Netflow error: "bind: cannot assign requested address"

Dear all,
I config filebeat and netflow ( softflowd on pfsense ) but I got issue. Any solution for that? Thanks
systemctl status filebeat -l
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-04-09 21:11:22 +07; 14s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 10233 (filebeat)
CGroup: /system.slice/filebeat.service
└─10233 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

Apr 09 21:11:22 manager filebeat[10233]: 2020-04-09T21:11:22.230+0700        ERROR        [netflow]        netflow/input.go:164        Error running harvester: listen udp 192.168.1.23:2055: bind: cannot assign requested address
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.162+0700        INFO        pipeline/output.go:95        Connecting to backoff(elasticsearch(https://192.168.1.17:9200))
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.177+0700        INFO        elasticsearch/client.go:753        Attempting to connect to Elasticsearch version 7.5.2
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.215+0700        INFO        template/load.go:169        Existing template will be overwritten, as overwrite is enabled.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.216+0700        INFO        template/load.go:109        Try loading template wazuh to Elasticsearch
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.259+0700        INFO        template/load.go:101        template with name 'wazuh' loaded.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.259+0700        INFO        [index-management]        idxmgmt/std.go:293        Loaded index template.
Apr 09 21:11:23 manager filebeat[10233]: 2020-04-09T21:11:23.260+0700        INFO        pipeline/output.go:105        Connection to backoff(elasticsearch(https://192.168.1.17:9200)) established
Apr 09 21:11:32 manager filebeat[10233]: 2020-04-09T21:11:32.231+0700        INFO        [netflow]        netflow/input.go:153        Starting UDP input
Apr 09 21:11:32 manager filebeat[10233]: 2020-04-09T21:11:32.231+0700        ERROR        [netflow]        netflow/input.go:164        Error running harvester: listen udp 192.168.1.23:2055: bind: cannot assign requested address

My lsof:
lsof -i | grep filebeat
filebeat  10233          root    3u  IPv4 14361498      0t0  TCP manager:51888->manager:wap-wsp (ESTABLISHED)
filebeat  10233          root    6u  IPv4 14362667      0t0  TCP manager:51890->manager:wap-wsp (ESTABLISHED)

My filebeat.yml:
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false

#filebeat.config.inputs:
#  enabled: true
#  path: inputs.d/*.yml

filebeat.config.modules:
  enabled: true
  path: /etc/filebeat/modules.d/*.yml

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.hosts: ['https://192.168.1.17:9200']
output.elasticsearch.username: "elastic"
output.elasticsearch.password: "<password>"
output.elasticsearch.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.crt"]
output.elasticsearch.ssl.certificate: "/etc/elasticsearch/certs/node-0.crt"
output.elasticsearch.ssl.key: "/etc/elasticsearch/certs/node-0.key"

My netflow.yml:
# Module: netflow
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-module-netflow.html

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 192.168.1.23
      netflow_port: 2055

Please take a look at this post: Udp 127.0.0.1:2055: bind: address already in use in 7.6 netflow module

Hi, but I don't config the filebeat.inputs

I changed from 192.168.1.23 to 0.0.0.0

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.