Hello,
We have a cluster of logstash instances behind an F5 load balancer. Part of the F5 implementation includes a health check that is sent every couple of seconds to make sure the UDP port on the logstash is still up. If the health check fails then the instances is declared dead and the F5 will not send traffic to it anymore.
The F5 can send a string over TCP/UDP and can do an API call.
Today the UDP test to Logstash is not a real SNMP trap thus an error message is created saying that the trap could not be parsed.
Received data:
"default send string"
Error handling trap: 100
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.1/lib/snmp/ber.rb:192:in decode_sequence' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.1/lib/snmp/pdu.rb:50:in
decode'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.1/lib/snmp/manager.rb:710:in block in process_traps' org/jruby/RubyKernel.java:1411:in
loop'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.1/lib/snmp/manager.rb:707:in process_traps' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-snmptrap-3.0.6/lib/logstash/inputs/snmptrap/patches/trap_listener.rb:17:in
process_traps'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.1/lib/snmp/manager.rb:634:in `block in initialize'
Is there a way to not process these Health Check messages in the pipeline? Maybe a way to drop these logs when they come from a specific source?
Anyone else have experience with F5 in front of logstash for Traps?
Thanks