Hello everyone.
I have a host with the following specs
- CentOS 7
- 16GB RAM
- 2 CPUs
- 100GB storage
- 2 network interfaces
And I'm trying to set up logstash to receive and filter the following types of logs
- Netflow over UDP on port 2055
- Syslog over UDP on port 514
My goal, at this point, is just to receive the logs, filter, and forward them to a file (only for testing).
My issue is that I can see the logs arriving at the host
[root@specialhost specialuser]# tcpdump -i any udp port 2055 and dst host <MYIP>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:54:48.356883 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.416922 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.446942 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.546944 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
But I can't see them going through logstash
[2020-10-21T12:03:30,740][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.9.2", "jruby.version"=>"jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
[2020-10-21T12:03:34,864][INFO ][org.reflections.Reflections] Reflections took 112 ms to scan 1 urls, producing 22 keys and 45 values
[2020-10-21T12:03:39,303][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/logstash-101-input-checkpoint.conf", "/etc/logstash/conf.d/logstash-999-output.conf"], :thread=>"#<Thread:0x7e80790b run>"}
[2020-10-21T12:03:40,302][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>0.96}
[2020-10-21T12:03:40,336][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-10-21T12:03:40,412][INFO ][logstash.inputs.udp ][main][2d7a6d4cd7d2f4c7d12304be6f50e980c427cff2a74ff952e4d15f627639d192] Starting UDP listener {:address=>"<MYIP>:2055"}
[2020-10-21T12:03:40,490][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-10-21T12:03:40,644][INFO ][logstash.inputs.udp ][main][2d7a6d4cd7d2f4c7d12304be6f50e980c427cff2a74ff952e4d15f627639d192] UDP listener started {:address=>"<MYIP>:2055", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2020-10-21T12:03:40,894][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
Here's my logstash.conf file, which is owned by the logstash user (test.log is also owned by logstash and has permissions 777)
input {
udp {
host => "<MYIP>"
port => 2055
codec => "netflow"
}
}
output {
file {
path => "/var/log/logstash/test.log"
codec => "json_lines"
}
}
The netstat output
[root@specialhost specialuser]# netstat -ulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:323 0.0.0.0:* 681/chronyd
udp 0 0 <MYIP>:2055 0.0.0.0:* 1792/java
udp6 0 0 ::1:323
A few things:
- I know there's a logstash module for netflow (this works btw), but for now, I want to use the UDP plugin
- I tried to run logstash as root as some posts suggested but makes no difference
- I also left logstash running overnight, as suggested by some posts
- SELinux and FW are disabled for now
- I also tried to use rsyslog to redirect logs to another port, but no luck
- I tested the connection with netcat and I can receive messages
- Using TCP is not an option
Does anyone see any issue that I don't? Or someone has something new for me to try?