Hi,
I have a problem.
The problem is partly described on: Using logstash to listen on mirrored ports (similar to Beats) · Issue #9948 · elastic/logstash · GitHub
Logstash does not want to read the data sent in permiscious mode.
On the same system, tcpdump returns information about the data being sent to a specific udp port (say UDP/2002) to that system.
user@HOSTNAME:$ sudo tcpdump -i ens192 port 2002 -c 5
07:59:40.158066 IP 192.168.22.44.38388 > HOSTNAME.2002: UDP length 1415
...
Logstash has a standard configuration.
The pipeline has an input:
input {
udp {
port => 2002
}
}
In Logstash log/status there is information that Logstash is listening on a given port (example UDP/2002).
However, Logstash does not actually read any data.
I can specify the listening on a specific IP address from the interface (in Logstash pipeline - input/host) but this does not solve the problem.
What could be the problem?