Logstash to Logstash Not Working

I have a Logstash server with a tcp output configured:

output {
  tcp {
    host => "x.x.x.x"
    port => 12345
    codec => json
  }
}

On a receiving Logstash box, I have a tcp input configured and I am adding a couple fields for tracking purposes:

input {
  tcp {
    port => 12345
    codec => json
    add_field => [ "field", "DATA" ]
  }
}

On the receiving Logstash server, via tcpdump, I can see the messages coming in:

19:19:24.999659 IP (tos 0x0, ttl 62, id 40830, offset 0, flags [DF], proto TCP (6), length 931)
    x.x.x.x.49652 > x.x.x.x.12345: Flags [P.], cksum 0x520c (correct), seq 44933:45812, ack 1, win 1460, options [nop,nop,TS val 3021847556 ecr 832838], length 879
E....~@.>.s.
.       .
e       B....5`.lY.......R......
.......F{"pipeline_protocol":"udp","syslog_severity_code":6,"syslog_body":"SFR requested ASA to bypass further packet redirection and process TCP flow from inside:x.x.x.x/55349 to outside:x.x.x.x/443 locally\n","city":"#####","syslog_facility":"LOCAL0","syslog_facility_code":16,"device_type":"Cisco ASA","message":"<13>Jan 25 18:19:24.670162 x.x.x.x <134>Jan 25 2017 18:19:24 ##### : %ASA-6-434004: SFR requested ASA to bypass further packet redirection and process TCP flow from inside:x.x.x.x/55349 to outside:x.x.x.x/443 locally\n","syslog_severity":"INFORMATIONAL","pipeline":"LOGFIREWALL","device_ip":"x.x.x.x","cisco_mnemonic":"434004","pipeline_ingress":"########","hostname":"########","@timestamp":"2017-01-26T00:19:24.680Z","cisco_facility":"ASA","@version":"1","host":"x.x.x.x","cisco_severity":"6","pipeline_port":"###","syslog_pri":"134"}
19:19:24.999679 IP (tos 0x0, ttl 64, id 16160, offset 0, flags [DF], proto TCP (6), length 52)
    x.x.x.x.36514 > x.x.x.x.49652: Flags [.], cksum 0x26f2 (incorrect -> 0xd88e), ack 45812, win 1041, options [nop,nop,TS val 832877 ecr 3021847556], length 0
E..4? @.@...
e       B
.       .....Y...5`......&......
...m....

My Logstash output, at the moment, is this:

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "logstash-%{+YYYY.MM.dd}"
    user => "#####"
    password => "#####"
  }
}

Yet, NONE of these logs are making it into ES. I have OTHER inputs defined and those logs ARE making it in just fine.

I installed the X-pack so I could look at monitoring and it is showing all green.

What am I missing so that the receiving Logstash server will ingest the message output from another Logstash server?

As a test, I change the protocols from TCP to UDP and it works just fine. I need this to be TCP, so what am I doing wrong???

I wonder if you perhaps need to use the json_lines codec so that the output ends each event with a newline character.

I did try it, on the input configuration.

I will try it on both sides.

Looks like json_lines on both sides fixed it. Testing with another box to verify.

Magnus,
That did the trick.

All my Logstash to Logstash logs are now being processed. Thank you!!!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.