Http/gelf/beats input host mask not working (docker network)


#1

Hi, I am trying to allow input only from my own network and thus have the following .conf

  input{
      gelf {
        type => "log"
    #    host => "172.16.0.0"
    #    port => 12201
      }

      beats {
    #    host => "172.16.0.0"
        port => 5044
        type => "log"
      }

      http {
    #    host => "0.0.0.0" # default: 0.0.0.0
    #    port => 8080 # default: 8080
        type => "log"
      }
  }

my network is a docker network with 172.16.0.0. Everything works fine without host (default), or when I set the http host to 0.0.0.0 (and the sender ip is 172.16.0.5) . Tested with i.e.

curl -v -s -H 'content-type: application/json' -XPOST 'http://logstash:8080/' -d '{ \"message\": \"TEST\" }'

But once I set the host to 172.16.0.0 I get

* Hostname was NOT found in DNS cache
*   Trying 172.16.0.38...
* connect to 172.16.0.38 port 8080 failed: Connection refused
* Failed to connect to logstash port 8080: Connection refused

what am I doing wrong? How do I mask the network to allow input only from 255.255.255.0?


(Magnus Bäck) #2

The host option chooses which interface to listen on, i.e. it must either be 0.0.0.0 or one of the IP addresses that the host has. It's not an access control mechanism per se.

How do I mask the network to allow input only from 255.255.255.0?

That can't be done from Logstash (unless you accept events initially but drop everything that doesn't originate from the same subnet or whatever condition you like).


#3

Thanks. I think the documentation "The IP address to listen on." could then use a litte more explanation. I have see quite a few posts where people ask about their setting not working and then are told to use 0.0.0.0. I guess today many people are used to network mapping being the standard for things where you can set the ip.


(Magnus Bäck) #4

I guess today many people are used to network mapping being the standard for things where you can set the ip.

I don't understand what you mean by this.


#5

I mean that in cases where you could expect input to come from a limited number of nods, yet from a specific network(s), it would be nice to have mapping enabled. So for example 172.13.14.0 would allow all nodes from 172.13.14.x. That is how I interpreted the documentation and reading quite a few posts, I wasn't the only one.

Your answer was perfect and clear.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.