I have two interfaces eth0 and eth2. Network traffic of systems reaching to eth2 interface.
I have Logstash instance which was working good for network traffic of default network interface (eth0).
My requirement is logstash should listen eth2 interface and forward to Elasticsearch. Logstash is accepting syslog information on 5000 port. I am able to see the logstash output on sending message using netcat on 5000 port.
Any help is most welcome. Thanks in advance.
Hello,
You need to share your logstash pipeline configuration, without it is not possible to understand what can be the issue.
Please find the logstash configuration:
input {
tcp {
host => "192.168.77.3"
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
filter {
}
output {
stdout{}
file {
path => "/usr/share/logstash/logstash.json"
}
}
Thanks @leandrojmp for quick reply.
In which protocol do you need to listen on the eth2? What is the IP address of the eth2 interface?
You have two different inputs, the tcp input is binding only to the IP 192.168.77.3 so it will only listen on this IP address.
The udp input is binding to every IP address available on the server, the default value for the host setting is 0.0.0.0.
I would suggest that you remove the host setting from the tcp input and see if it works, it will make logstash bind on port 5000 using tcp in every IP address available on the server.
We tried that already without host setting.
It is listening to 0.0.0.0 that time but network traffic is not moving to the port.
Logstash logs:
[2021-11-30T14:03:18,824][INFO ][logstash.inputs.udp ][elastiflow][2805a5619b827373061c0554ea4c20877584ee073214b0b50ec7a30987f184f2] Starting UDP listener {:address=>"0.0.0.0:5000"}
[2021-11-30T14:03:18,844][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:elastiflow], :non_running_pipelines=>[]}
[2021-11-30T14:03:18,869][INFO ][logstash.inputs.udp ][elastiflow][2805a5619b827373061c0554ea4c20877584ee073214b0b50ec7a30987f184f2] UDP listener started {:address=>"0.0.0.0:5000", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
This log tells that logstash was able to bind to the port 5000 in all IP address available using UDP, there is no binding problem.
If you are using UDP to send logs from a source server or device and your logstash server is not receiving it, then you can have some network issue, any firewall or route problem, you will need to check that.
I don't have much routing tables in my ELK setup and firewall is inactive.
This is my tcpdump for 5000 port:
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:27:01.819435 IP 192.168.129.1.49666 > ELK.5000: UDP, length 105
14:27:01.819512 IP 192.168.129.1.49666 > ELK.5000: UDP, length 110
14:27:02.026195 IP 192.168.129.1.49666 > ELK.5000: UDP, length 164
14:27:02.059464 IP 192.168.129.1.49666 > ELK.5000: UDP, length 63
14:27:02.082236 IP 192.168.129.1.49666 > ELK.5000: UDP, length 121
When I go inside the container of logstash, I could see the same dump.
tcpdump inside the container:
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:30:20.060804 IP 192.168.129.1.49666 > ELK.commplex-main: UDP, length 135
14:30:20.060858 IP 192.168.129.1.49666 > ELK.commplex-main: UDP, length 99
14:30:20.138807 IP 192.168.129.1.49666 > ELK.commplex-main: UDP, length 104
I feel this is making some difference.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.