Sensor Logstash Output Not Using Receiver Node IP Addresses #13659
Replies: 1 comment
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
I have an issue with outputting from sensor nodes to receiver nodes as they are referenced by hostname instead of IP address.
Setup
Version: 2.4.100
I have a distributed setup with one sensor, one manager, two receivers, and two search nodes. They are all on the same, flat network (172.18.58.0/24). Each node has 32 GB RAM, and 16 vCPUs, with the exception of the two search nodes which both have 24 vCPUs.
Note: I installed this in "Air Gap" mode, and left the DNS setting at its default (8.8.8.8, 8.8.4.4) and gateway to the first IP address in my subnet (172.18.58.1), although no gateway exists currently.
Receiver question
When I add a receiver node, the sensor node does not output events to the receiver. The manager continues to receive all events.
The manager node is listed as a Logstash output in Elastic Fleet settings as two entries - one by IP, and the other by hostname.
I can temporarily fix this issue by changing the fleet manager settings to set the Logstash output to receiver's IP addresses. However these seem to be reset to the default (hostname) shortly after. I tried changing the /etc/hosts file on my sensor node, but at least when I tried this, I received no events to my receivers (although I was also not receiving events on the manager either at this time).
Is there any workaround short of creating a DNS server and changing resolv.conf? Can I make the Logstash output use IP address rather than hostname similar to how the manager outputs show up?
Upon further searching I see the same issue here: #11909 (comment), can this be added to the main install?
Extra Questions
I have a few other things I would like to ask - should I add these as separate discussions?:
Thanks
Beta Was this translation helpful? Give feedback.
All reactions