I have logstash, kibana on one server and another one runs elasticsearch. I have three open pipelines collecting logfile data.
I noticed a lot of open ports (277 established TCP connections in the range 45000 - 55000).
- Is this normal?
- Is there a way to reduce the requests rate e.g. via stack motinoring/advanced settings? Or is this proportional to the incoming log data rate and cannot be adjusted (perhaps via delays in logstash?)
With tcpdump I can see that the traffic consists of similar packets per port. As if it is some sort of keep-alive check ... There must be a way to reduce the frequency of these messages
Example of what is transmitted on one of the ports ( note that SERVER02.wap-wsp is SERVER02.9200, that is elasticsearch port that gets translated to wap-wsp from tcpdump)
sudo tcpdump -A -i any port 50122
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:09:29.097289 IP SERVER01.50122 > SERVER02.wap-wsp: Flags [.], ack 1020159173, win 1424, options [nop,nop,TS val 1521411063 ecr 4108180594], length 0
E..4'.@.@.............#....O<.d.....^%.....
Z......r
18:09:29.097617 IP SERVER02.wap-wsp > SERVER01.50122: Flags [.], ack 1, win 3433, options [nop,nop,TS val 4108181618 ecr 1521373219], length 0
E..4..@.@.B.........#...<.d....P...i.......
...rZ.P#
18:09:30.121265 IP SERVER01.50122 > SERVER02.wap-wsp: Flags [.], ack 1, win 1424, options [nop,nop,TS val 1521412087 ecr 4108181618], length 0
E..4'.@.@.............#....O<.d.....^%.....
Z......r
18:09:30.121568 IP SERVER02.wap-wsp > SERVER01.50122: Flags [.], ack 1, win 3433, options [nop,nop,TS val 4108182642 ecr 1521373219], length 0
E..4..@.@.B.........#...<.d....P...i.......
...rZ.P#
18:09:31.145316 IP SERVER01.50122 > SERVER02.wap-wsp: Flags [.], ack 1, win 1424, options [nop,nop,TS val 1521413111 ecr 4108182642], length 0
E..4'.@.@.............#....O<.d.....^%.....
Z......r