Here is the test configuration I'm using to debug the issue:
input {
udp {
workers => 5
type => "fortinet"
port => 1514
queue_size => 100000
}
}
filter {
}
output {
stdout {
codec => "rubydebug"
}
}
Then starting logstash manually with just that config file. It starts successfully with 'Logstash startup completed' message in the console and that's it, nothing else.
I can see it is listening on the port using netstat:
~# netstat -anpl | grep 1514
udp6 0 0 :::1514 :::* 10440/java
And the process belongs is actually logstash:
root 10440 84.6 4.1 2582724 166120 pts/0 Sl+ 10:54 0:18 | \_ /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/opt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f debug1514
However, I don't see any log even though I can see traffic on that port using tcpdump: 'tcpdump -i em1 -n -w fortinet.pcap udp port 1514'. Opening the pcap with Wireshark shows me actual logs. I would be more than happy to provide that pcap file if somebody needs it to debug the issue.
I also checked iptables, the default policy for INPUT is accept and the only filtered thing is TCP port 22 (ip6tables is completely empty which means all IPv6 traffic flows without restrictions). And nothing is in logstash logs (/var/logs/logstash/logstash.log (or .err, .stdout).
System info:
- Ubuntu 14.04.3 LTS
- Logstash 1.5.4 from Elastic deb repository
- OpenJDK 7
- 4 network interfaces. Two of them have IPs.
Any idea why it's not getting any log entries?