Logstash to Logstash Not Working

kopacko · January 26, 2017, 12:25am

I have a Logstash server with a tcp output configured:

output {
  tcp {
    host => "x.x.x.x"
    port => 12345
    codec => json
  }
}

On a receiving Logstash box, I have a tcp input configured and I am adding a couple fields for tracking purposes:

input {
  tcp {
    port => 12345
    codec => json
    add_field => [ "field", "DATA" ]
  }
}

On the receiving Logstash server, via tcpdump, I can see the messages coming in:

19:19:24.999659 IP (tos 0x0, ttl 62, id 40830, offset 0, flags [DF], proto TCP (6), length 931)
    x.x.x.x.49652 > x.x.x.x.12345: Flags [P.], cksum 0x520c (correct), seq 44933:45812, ack 1, win 1460, options [nop,nop,TS val 3021847556 ecr 832838], length 879
E....~@.>.s.
.       .
e       B....5`.lY.......R......
.......F{"pipeline_protocol":"udp","syslog_severity_code":6,"syslog_body":"SFR requested ASA to bypass further packet redirection and process TCP flow from inside:x.x.x.x/55349 to outside:x.x.x.x/443 locally\n","city":"#####","syslog_facility":"LOCAL0","syslog_facility_code":16,"device_type":"Cisco ASA","message":"<13>Jan 25 18:19:24.670162 x.x.x.x <134>Jan 25 2017 18:19:24 ##### : %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from inside:x.x.x.x/55349 to outside:x.x.x.x/443 locally\n","syslog_severity":"INFORMATIONAL","pipeline":"LOGFIREWALL","device_ip":"x.x.x.x","cisco_mnemonic":"434004","pipeline_ingress":"########","hostname":"########","@timestamp":"2017-01-26T00:19:24.680Z","cisco_facility":"ASA","@version":"1","host":"x.x.x.x","cisco_severity":"6","pipeline_port":"###","syslog_pri":"134"}
19:19:24.999679 IP (tos 0x0, ttl 64, id 16160, offset 0, flags [DF], proto TCP (6), length 52)
    x.x.x.x.36514 > x.x.x.x.49652: Flags [.], cksum 0x26f2 (incorrect -> 0xd88e), ack 45812, win 1041, options [nop,nop,TS val 832877 ecr 3021847556], length 0
E..4? @.@...
e       B
.       .....Y...5`......&......
...m....

My Logstash output, at the moment, is this:

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "logstash-%{+YYYY.MM.dd}"
    user => "#####"
    password => "#####"
  }
}

Yet, NONE of these logs are making it into ES. I have OTHER inputs defined and those logs ARE making it in just fine.

I installed the X-pack so I could look at monitoring and it is showing all green.

What am I missing so that the receiving Logstash server will ingest the message output from another Logstash server?

kopacko · January 26, 2017, 4:21am

As a test, I change the protocols from TCP to UDP and it works just fine. I need this to be TCP, so what am I doing wrong???

magnusbaeck · January 26, 2017, 7:08am

I wonder if you perhaps need to use the json_lines codec so that the output ends each event with a newline character.

kopacko · January 26, 2017, 2:54pm

I did try it, on the input configuration.

I will try it on both sides.

kopacko · January 26, 2017, 3:44pm

Looks like json_lines on both sides fixed it. Testing with another box to verify.

kopacko · January 26, 2017, 4:46pm

Magnus,
That did the trick.

All my Logstash to Logstash logs are now being processed. Thank you!!!!

system · February 23, 2017, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.