Missing tcp_keep_alive parameter and growing ESTABLISHED

[rockandska]

Logstash information:

Please include the following information:

1. Logstash version : 7.9.1
2. Logstash installation source: rpm
3. How is Logstash being run : systemd
4. How was the Logstash Plugin installed : bundle with the package

JVM (e.g. java -version):

If the affected version of Logstash is 7.9 (or earlier), or if it is NOT using the bundled JDK or using the 'no-jdk' version in 7.10 (or higher), please provide the following information:

1. JVM version : openjdk 1.8.0
2. JVM installation source: Operating System's package manager

OS version (uname -a if on a Unix-like system):

Centos 7.5 3.10.0-957.27.2.el7.x86_64

Description of the problem including expected versus actual behavior:

We have many network equipments who send their log to a Logstash server. Those flux are coming through a firewall who kill idle connection after 60min. Since those equipments are not too verbose, I see many connections for the same equipment as ESTABLISHED on Logstash server when I see only one on the other side. Since SYSLOG INPUT doesn't provide tcp_keep_alive parameter, and netstat --timers -tn show clearly that is the case, the connections in ESTABLISHED keeps growing indefinitely since the kernel is not aware that it should clean them. As a result, the server exceed the maximum ulimit and refuse to accept new connection and the only solution is to restart Logstash to free the ESTABLISHED connection.

Solution:

Have tcp_keep_alive parameter as it is provided in TCP Input plugin.

Regards,