Logstash input fails listening IPv6

davama · March 1, 2018, 3:49pm

Trying to test this project: https://github.com/robcowart/elastiflow

Issue: When running logstash version 6.2.2, enabling ipv6 fails but when i enable with version 5.6.8 it passes and pumps data to elasticsearch. Not sure is this is logstash issue or a plugins issue.

failing logstash host v6.2.2:

[root@localhost conf.d]# /usr/share/logstash/bin/logstash-plugin list --verbose | grep flow
logstash-codec-netflow (3.11.2)
logstash-codec-sflow (2.0.2)
[root@localhost conf.d]# /usr/share/logstash/bin/logstash --version
logstash 6.2.2

Logs i receive from the failing logstash host /var/log/logstash/logstash-plain.log: link

###################
working logstash host 5.6.8:

[root@elastiflow-lab ~]#  /usr/share/logstash/bin/logstash-plugin list --verbose | grep flow
logstash-codec-netflow (3.11.2)
logstash-codec-sflow (2.0.2)
[root@elastiflow-lab ~]# /usr/share/logstash/bin/logstash --version
logstash 5.6.8

Logs i receive from the working logstash host /var/log/logstash/logstash-plain.log: link
###################

inputs that i use for both logstash hosts:

input {
  # Netflow
  udp {
    id => "input_udp_netflow6"
    host => "${ELASTIFLOW_NETFLOW_HOST6:[::1]}"
    port => "${ELASTIFLOW_NETFLOW_PORT:2055}"
    codec => netflow {
      versions => [5,9]
    }
    type => "netflow"
  }

  # sFlow
  udp {
    id => "input_udp_sflow6"
    host => "${ELASTIFLOW_SFLOW_HOST6:[::1]}"
    port => "${ELASTIFLOW_SFLOW_PORT:6343}"
    codec => sflow { }
    type => "sflow"
  }

  # IPFIX
  tcp {
    id => "input_tcp_ipfix6"
    host => "${ELASTIFLOW_IPFIX_TCP_HOST6:[::1]}"
    port => "${ELASTIFLOW_IPFIX_TCP_PORT:4739}"
    codec => netflow {
      versions => [10]
      target => "ipfix"
    }
    type => "ipfix"
  }
  udp {
    id => "input_udp_ipfix6"
    host => "${ELASTIFLOW_IPFIX_UDP_HOST6:[::1]}"
    port => "${ELASTIFLOW_IPFIX_UDP_PORT:4739}"
    codec => netflow {
      versions => [10]
      target => "ipfix"
    }
    type => "ipfix"
  }
}

Any input would be appreciated.

Thank you,
dave

davama · March 19, 2018, 5:28pm

Not sure if this is related but found issues in some inputs

davama · April 2, 2018, 7:55pm

I did submit a ticket on github

Hopefully something comes up

davama · April 24, 2018, 5:56pm

ipv6 works!!! hurray for new update!

[2018-04-24T13:49:05,235][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"10.x.x.213:4739", :ssl_enable=>"false"}
[2018-04-24T13:49:05,433][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"[xxxx::213]:4739", :ssl_enable=>"false"}
[2018-04-24T13:49:05,442][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"10.x.x.213:2055"}
[2018-04-24T13:49:05,461][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"10.x.x.213:6343"}
[2018-04-24T13:49:05,466][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"10.x.x.213:2055", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,470][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"10.x.x.213:6343", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,494][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"10.x.x.213:4739"}
[2018-04-24T13:49:05,495][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"10.x.x.213:4739", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,530][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"[xxxx::213]:2055"}
[2018-04-24T13:49:05,533][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"[xxxx::213]:2055", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,539][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"[xxxx::213]:6343"}
[2018-04-24T13:49:05,540][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"[xxxx::213]:6343", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,651][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"[xxxx::213]:4739"}
[2018-04-24T13:49:05,652][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"[xxxx::213]:4739", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2018-04-24T13:49:05,661][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"elastiflow", :thread=>"#<Thread:0x11cb7886@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 sleep>"}
[2018-04-24T13:49:06,726][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"iperf3", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-04-24T13:49:06,754][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://elastic:xxxxxx@10.x.x.213:9200/]}}
[2018-04-24T13:49:06,755][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elastic:xxxxxx@10.x.x.213:9200/, :path=>"/"}
[2018-04-24T13:49:06,801][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://elastic:xxxxxx@10.x.x.213:9200/"}
[2018-04-24T13:49:06,805][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}

[root@elastiflow-lab ~]# /usr/share/logstash/bin/logstash-plugin list --verbose | grep -E "flow|net"
logstash-codec-netflow (3.12.0)
logstash-codec-sflow (2.0.2)
[root@elastiflow-lab ~]# rpm -qa | grep -E "elas|logs"
logstash-6.2.4-1.noarch
elasticsearch-6.2.4-1.noarch

system · May 22, 2018, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.