Logstash host field set as docker bridge network gateway

Running logstash 7.3.0 as a docker container.
I have a UDP input receiving messages from from some Cisco ASA's and the host field is populating with the docker bridge network gateway address vs the firewall's IP.

Ruby debug output shows:
"host" => "172.18.0.1",

I've been searching trying to see if anyone else has encountered this before. I can't seem to replicate the issue in my lab.

I've also done some sniffing and can see the traffic coming in to the host machine with the proper source IP.

How exactly does the host field get populated in logstash? Any suggestions are greatly appreciated!

In a udp input it's done like this, so you need to set that option to something else.

Hi Badger,
Thanks for responding.

Is that string being pulled from the UDP packet header?

I'm guessing that docker is mutating that header, I'm running a quick sniff to confirm.

It's populated from the sender_addrinfo that recvfrom_nonblock returns. I would expect that to be whatever is in the UDP header.

I can't replicate this issue in a lab. I just updated to 7.3.1 and swapped out to different hardware. I'm going to try running logstash as a service on the host box as opposed to a docker container. I expect that to resolve the problem.

I installed Logstash as a service which resolved this issue. I'd prefer running Logstash as a container but this will work fine for now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.