Here is my setup:
- system-A -- running logstash-forwarder, shipping to B
- system-B -- running lumberjack on port 5043 and logstash-forwarder
- system-C -- running logstash-forwarder, shipping to B
I'm seeing reverse connections being made from system B to random ports on systems A, B and C.
If I run lsof on system B then I get follwoing:
sudo lsof -i :5043 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 6470 root 16u IPv4 95926184 0t0 TCP *:swxadmin (LISTEN) java 6470 root 58u IPv4 95926674 0t0 TCP B:swxadmin->A:54825 (ESTABLISHED) java 6470 root 62u IPv4 95936170 0t0 TCP B:swxadmin->C:36901 (ESTABLISHED) java 6470 root 66u IPv4 95936172 0t0 TCP B:swxadmin->B:58816 (ESTABLISHED)
process 6470 is the Logstash process (server component) running on system B.
Logstash version is 1.5.4 and logstash-forwarders are version 0.3.1
Does anyone know what these reverse connection are and why they're being made? I tried troubleshooting but since Logstash refuses to run without ssl, I can't dump the traffic.