Logstash is not open 5044 port on ubuntu server


(Hoa Nguyễn) #1

Hi all,
I configured the pipeline to collect windows firewall log of windows server 2012 as follows:
etc/logstash/conf.d/10-input.conf
input {
beats {
# The port to listen on for filebeat connections.
port => 5044
}
}
etc/logstash/conf.d/20-fwlog.conf

filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:date_time} %{DATA:action} %{WORD:protocol} %{IPORHOST:src_ip} %{IPORHOST:dst_ip} %{INT:src_port} %{INT:dst_port} %{DATA:size} %{DATA:tcp_flags} %{DATA:tcp_syn} %{DATA:tcp_act} %{DATA:tcp_win} %{DATA:acmp_type} ${DATA:icmp_code} %{DATA:info} %{WORD:path}"}
}
date {
match => ["timestamp" , "dd/MMM/yyyy:HH:mm:ss Z"]
}
}
etc/logstash/conf.d/30-output.conf

output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Until I run the netstat -lntp command. Did not see it active port 5044 :frowning:


(Mark Walkom) #2

Please don't post pictures of text, they are difficult to read and some people may not be even able to see them.

Has LS started? Can you try telnetting to the port?


(Hoa Nguyễn) #3

HI warkolm,
Thanks for answering.
Yes, I will draw on the experience for the next post.
I tried telnet from windows machine to LS under port 5044 but failed.


(Mark Walkom) #4

Failed how?


(Hoa Nguyễn) #5

When I try test telnet to LS, the following message appears:
PingSuccessed : true
TcpTestSuccessed : False


(Hoa Nguyễn) #6

On LS I run sudo service logstash configtest command to see the message
LS Unrecognized service


(Mark Walkom) #7

Can you please show the full command and output that you are running.


(Hoa Nguyễn) #8

C:\Windows\system32> Test-NetConnection -Port 5044
WARING: TCP connect to < IP of LS>:5044 failed

ComputerName : IP
RemoteAddress : IP
RemotePort : 5044
InterfaceAlias : Eth0
SourceAddress :
PingSuccessed : true
TcpTestSuccessed : False


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.