Logstash Stdout empty

Bountardos · August 31, 2023, 3:53pm

Hi there, i'm having issues with a recent configuration on my logstash and i can't understand why it's not working.
I have multiple configuration files running, and working. This one was working also as of a week ago, but we changed the source IP that was sending the logs, that is all, so we updated the filter in our configuration file and nothing is showinf anymore.

# FIle
input {
  udp {
    port => 10000
  }
}

filter {
# empty for now
}

output {
  stdout { codec => rubydebug { metadata => true } }

  kafka {
    ...
  }
}

Pretty basic configuration, please ignore the "..." under kafka, that is working i just removed it here for clarity.

If i do a tcpdump on the port we receive the logs, the server is listeneing on the port on udp, but i never see anything via the stdout and i can't understand why. Any ideas please?

Rios · August 31, 2023, 4:50pm

but we changed the source IP that was sending the logs, that is all, so we updated the filter in our configuration file and nothing is showinf anymore.

Most likely a firewall issue. LS doesn't filter anything which arrive to the port 10000.

Bountardos · September 1, 2023, 6:51am

Hi, thank you for your reply. I don't understand how can this be firewall related, traffic is coming, we see it through tcpdump.

Rios · September 1, 2023, 9:33am

Is tcpdump on the same host where is LS?
Is the UDP port 10000 correct?
Can you check did LS start listener on port 10000? by netstat and also should be visible in LS log.

You must have some trace, something is not OK.
input is simple, filter is empty, output shows rubydebug ... simpliest cannot be.

The firewall can block the traffic, if you change source address and rules were set like that.