Logstash host field set as docker bridge network gateway

dcmott86 · August 22, 2019, 7:13pm

Running logstash 7.3.0 as a docker container.
I have a UDP input receiving messages from from some Cisco ASA's and the host field is populating with the docker bridge network gateway address vs the firewall's IP.

Ruby debug output shows:
"host" => "172.18.0.1",

I've been searching trying to see if anyone else has encountered this before. I can't seem to replicate the issue in my lab.

I've also done some sniffing and can see the traffic coming in to the host machine with the proper source IP.

How exactly does the host field get populated in logstash? Any suggestions are greatly appreciated!

Badger · August 22, 2019, 8:15pm

In a udp input it's done like this, so you need to set that option to something else.

dcmott86 · August 22, 2019, 8:51pm

Hi Badger,
Thanks for responding.

Is that string being pulled from the UDP packet header?

I'm guessing that docker is mutating that header, I'm running a quick sniff to confirm.

Badger · August 22, 2019, 9:36pm

It's populated from the sender_addrinfo that recvfrom_nonblock returns. I would expect that to be whatever is in the UDP header.

dcmott86 · August 23, 2019, 3:03pm

I can't replicate this issue in a lab. I just updated to 7.3.1 and swapped out to different hardware. I'm going to try running logstash as a service on the host box as opposed to a docker container. I expect that to resolve the problem.

dcmott86 · August 23, 2019, 6:31pm

I installed Logstash as a service which resolved this issue. I'd prefer running Logstash as a container but this will work fine for now.

system · September 20, 2019, 6:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.