Not able to process UDP traffic

Hello everyone.

I have a host with the following specs

  • CentOS 7
  • 16GB RAM
  • 2 CPUs
  • 100GB storage
  • 2 network interfaces

And I'm trying to set up logstash to receive and filter the following types of logs

  • Netflow over UDP on port 2055
  • Syslog over UDP on port 514

My goal, at this point, is just to receive the logs, filter, and forward them to a file (only for testing).
My issue is that I can see the logs arriving at the host

[root@specialhost specialuser]# tcpdump -i any udp port 2055 and dst host <MYIP>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:54:48.356883 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.416922 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.446942 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312
11:54:48.546944 IP <SOMEOTHERIP>.dossier > <MYIP>.iop: UDP, length 1312

But I can't see them going through logstash

[2020-10-21T12:03:30,740][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.9.2", "jruby.version"=>"jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
[2020-10-21T12:03:34,864][INFO ][org.reflections.Reflections] Reflections took 112 ms to scan 1 urls, producing 22 keys and 45 values 
[2020-10-21T12:03:39,303][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>250, "pipeline.sources"=>["/etc/logstash/conf.d/logstash-101-input-checkpoint.conf", "/etc/logstash/conf.d/logstash-999-output.conf"], :thread=>"#<Thread:0x7e80790b run>"}
[2020-10-21T12:03:40,302][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.96}
[2020-10-21T12:03:40,336][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2020-10-21T12:03:40,412][INFO ][logstash.inputs.udp      ][main][2d7a6d4cd7d2f4c7d12304be6f50e980c427cff2a74ff952e4d15f627639d192] Starting UDP listener {:address=>"<MYIP>:2055"}
[2020-10-21T12:03:40,490][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2020-10-21T12:03:40,644][INFO ][logstash.inputs.udp      ][main][2d7a6d4cd7d2f4c7d12304be6f50e980c427cff2a74ff952e4d15f627639d192] UDP listener started {:address=>"<MYIP>:2055", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
[2020-10-21T12:03:40,894][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Here's my logstash.conf file, which is owned by the logstash user (test.log is also owned by logstash and has permissions 777)

input {
  udp {
    host => "<MYIP>"
    port  => 2055
    codec => "netflow"
  }
}
output {
  file {
    path => "/var/log/logstash/test.log"
    codec => "json_lines"
  }
}

The netstat output

[root@specialhost specialuser]#  netstat -ulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 127.0.0.1:323           0.0.0.0:*                           681/chronyd         
udp        0      0 <MYIP>:2055 	     0.0.0.0:*                           1792/java           
udp6      0      0 ::1:323

A few things:

  • I know there's a logstash module for netflow (this works btw), but for now, I want to use the UDP plugin
  • I tried to run logstash as root as some posts suggested but makes no difference
  • I also left logstash running overnight, as suggested by some posts
  • SELinux and FW are disabled for now
  • I also tried to use rsyslog to redirect logs to another port, but no luck
  • I tested the connection with netcat and I can receive messages
  • Using TCP is not an option

Does anyone see any issue that I don't? Or someone has something new for me to try?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.