Filebeat service keeps stopping unexpectedly

Follow
    Applies to:
  • SecureAuth Identity Platform
Deployment model:
  • Hybrid
  • Version Affected:  9.2+

    Description:  

    The Filebeat service stops unexpectedly at random intervals.  When started it runs again for an arbitrary period (e.g. a few minutes) then stops again.

     

    Cause:  

    The Filebeat logs (located in C:\ProgramData\SecureAuth Corporation\filebeat) contain the following error:

    ERROR [udp] udp/server.go:107 Error reading from the socket read udp 127.0.0.1:6000: wsarecvfrom: A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself. {"address": "127.0.0.1:6000"}

    This means that the Filebeat service is receiving UDP packets from an IdP realm which are over its size limit, by default 10KB.  When this occurs Filebeat appears to shut down.

     

    The large packets are usually caused by log messages containing group membership information expressed as distinguished names.  For users that are a member of many groups or if those groups are deeply nested then the 10KB limit can be easily exceeded.

     

    Resolution:  

    1. Stop the SecureAuth Filebeat service in the services.msc console.

    2. Increase the max_message_size value in the Filebeat configuration file located here:

    C:\Program Files\SecureAuth Corporation\FileBeat\filebeat.yml

    Change the highlighted value from 10KiB to 64KiB which is the maximum size for a UDP packet:

    3. Start the SecureAuth Filebeat service.

    4. Confirm that the error is no longer occurring in the Filebeat log.

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.