Logstash creating many tcp connections for single hosts

Question

Logstash: 5.3.0 nxlog: nxlog-ce-2.9.1716

Checking nestat I have like 300 established connections even though I have only about 50 hosts.

I have like 40 connections for some hosts when I the client's side there is only one active connection.

I added data_timeout => 500 to my input filter and restarted logstash but it looks like connections are still growing and remaining in the established state.

If the OS sees the connection as ESTABLISHED does that not count as an idle connection? Because in that case data_timeout would have no impact right?

My TCP keep alive settings are the default values, should I change this?:

  # cat /proc/sys/net/ipv4/tcp_keepalive_time
  7200
  # cat /proc/sys/net/ipv4/tcp_keepalive_intvl
  75
  # cat /proc/sys/net/ipv4/tcp_keepalive_probes
  9

I have like 40 connections open for single hosts is this expected behavior? Why are they are remaining in the ESTABLISHED state? Or is there a reason logstash needs multiple connections open for a single host like this?

score 0 · Answer 1 · answered Jul 09 '17 at 13:23

0

You should investigate further why logstash is not closing the connections properly (e.g. check the logs). Perhaps you have some network gear/proxy firewall between the two that terminates the TCP session?

answered Jul 09 '17 at 13:23

b0ti

986
1
6
13

Logstash creating many tcp connections for single hosts

1 Answers1