Filebeat stops working with error message UDP Package size to large

Hello
As in the log files it's recommeded to report this I would like todo so. I have Filebeat installed (7.13.2) on Windows Server 2019 (1809). We have Air Watch Cloud Connector (19.12) configured for sending Syslog data to the local installed filebeat. It does work for some time, but then filebeat shows up with following error message, and stops sendig any data to elasticsearch:

2021-07-07T18:55:06.233+0200 ERROR [udp] dgram/handler.go:77 Error reading from the socket read udp 127.0.0.1:9514: wsarecvfrom: A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself. {"address": "localhost:9514"}
2021-07-07T18:55:06.303+0200 ERROR [UDP] logp/logger.go:218 Panic handling datagram. Recovering, but please report this.{panic 25 0 runtime error: invalid memory address or nil pointer dereference} {stack 15 0 github.com/elastic/beats/v7/libbeat/logp.(*Logger).Recover
/go/src/github.com/elastic/beats/libbeat/logp/logger.go:218
runtime.gopanic
/usr/local/go/src/runtime/panic.go:969
runtime.panicmem
/usr/local/go/src/runtime/panic.go:212
runtime.sigpanic
/usr/local/go/src/runtime/signal_windows.go:246
github.com/elastic/beats/v7/filebeat/input/udp.NewInput.func1
/go/src/github.com/elastic/beats/filebeat/input/udp/input.go:77
github.com/elastic/beats/v7/filebeat/inputsource/common/dgram.DatagramReaderFactory.func1.1
/go/src/github.com/elastic/beats/filebeat/inputsource/common/dgram/handler.go:82
github.com/elastic/beats/v7/filebeat/inputsource/common/dgram.(*Listener).connectAndRun
/go/src/github.com/elastic/beats/filebeat/inputsource/common/dgram/server.go:122
github.com/elastic/beats/v7/filebeat/inputsource/common/dgram.(*Listener).Start.func1
/go/src/github.com/elastic/beats/filebeat/inputsource/common/dgram/server.go:112
github.com/elastic/go-concert/unison.(*TaskGroup).Go.func1
/go/pkg/mod/github.com/elastic/go-concert@v0.1.0/unison/taskgroup.go:124 }

Following is the configuration i did for the udp input:

filebeat.inputs:

  • type: udp
    host: "localhost:9514"
    processors:

    • dissect:
      tokenizer: "%{date} %{time} [%{program}] %{severity}: %{message}"
      target_prefix: "ws1"
  • type: tcp
    host: "localhost:9514"
    processors:

    • dissect:
      tokenizer: "%{date} %{time} [%{program}] %{severity}: %{message}"
      target_prefix: "ws1"

Even if the sender send too large UDP packages, as it is written in the log filebeat should recover and send the following data?

Kind Regards
Roland

Could you please open Beats issue for this and post this panic? It looks like a problem with Beats.

Hello Marcin
Yes of course I will do that. Thanks for your reply.
Kind Regards Roland

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.