our firewall monitoring has identified the logstash process behaving very weird:
The java process connects to another machine on about 230 different TCP Ports.
So basically it behaves like a portscanner. The people who have installed logstash don't know how to identify the root cause for this.
Here is an example from tcpdump:
10.x.x.22.commplex-main > 10.x.x.57.60230: Flags [S.], cksum 0x1c0d (incorrect -> 0x6cda), seq 2703440304, ack 3314038781, win 28960, options [mss 1460,sackOK,TS val 1216153208 ecr 1678754793,nop,wscale 7], length 0
08:34:55.604342 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
This is outgoing traffic from the logstash process on Source Port TCP 5000.
If i stop the filebeat service on the target machine there is no bad traffic anymore.
Can anybody explain me the background of this traffic and/or how to stop it.
Thanks in advance.