You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How was the Logstash Plugin installed : bundle with the package
JVM (e.g. java -version):
If the affected version of Logstash is 7.9 (or earlier), or if it is NOT using the bundled JDK or using the 'no-jdk' version in 7.10 (or higher), please provide the following information:
Description of the problem including expected versus actual behavior:
We have many network equipments who send their log to a Logstash server.
Those flux are coming through a firewall who kill idle connection after 60min.
Since those equipments are not too verbose, I see many connections for the same equipment as ESTABLISHED on Logstash server when I see only one on the other side.
Since SYSLOG INPUT doesn't provide tcp_keep_alive parameter, and netstat --timers -tn show clearly that is the case, the connections in ESTABLISHED keeps growing indefinitely since the kernel is not aware that it should clean them.
As a result, the server exceed the maximum ulimit and refuse to accept new connection and the only solution is to restart Logstash to free the ESTABLISHED connection.
Solution:
Have tcp_keep_alive parameter as it is provided in TCP Input plugin.
Regards,
The text was updated successfully, but these errors were encountered:
Logstash information:
Please include the following information:
JVM (e.g.
java -version
):If the affected version of Logstash is 7.9 (or earlier), or if it is NOT using the bundled JDK or using the 'no-jdk' version in 7.10 (or higher), please provide the following information:
OS version (
uname -a
if on a Unix-like system):Centos 7.5
3.10.0-957.27.2.el7.x86_64
Description of the problem including expected versus actual behavior:
We have many network equipments who send their log to a Logstash server.
Those flux are coming through a firewall who kill idle connection after 60min.
Since those equipments are not too verbose, I see many connections for the same equipment as ESTABLISHED on Logstash server when I see only one on the other side.
Since SYSLOG INPUT doesn't provide tcp_keep_alive parameter, and
netstat --timers -tn
show clearly that is the case, the connections in ESTABLISHED keeps growing indefinitely since the kernel is not aware that it should clean them.As a result, the server exceed the maximum ulimit and refuse to accept new connection and the only solution is to restart Logstash to free the ESTABLISHED connection.
Solution:
Have
tcp_keep_alive
parameter as it is provided in TCP Input plugin.Regards,
The text was updated successfully, but these errors were encountered: