0

The NLB(Internet-facing) collects logs for deepsecurity, etc... from internet the VPC in filebits.

Below is the current configuration status.

  1. Deepsecurity ips send the log to the nlb listener in tls protocol.
  2. The NLB sends the logs send to the listener to the tcp port of the target group filebeat servers.

  • nlb contains the subnet of all Availability Zones.

  • Filebeat servers with the same configuration are located in each Availability Zone, and all Filebeat servers are included in the target group

  • The Cross zone option is enabled.

  1. I checked that some logs were lost, and confirmed that the logs would not flow into the tcp port of the filebeat server.

I checked the VPC log and NLB log, and I checked that some requests did not have a session with Filebeat server.

I checked the above log and conducted the following test

- TEST 1

  1. Configure an additional Filebeat server in the same Availability Zones
  2. Configure target groups only with Filebeat servers located in the same Availability Zones
  3. Logs are still being lost

- TEST 2

  1. Changed the configuration to include only one Filebeat server in the target group, but the logs are still being lost

Note: Sticky sessions do not apply to tls.

Current ACM tls version: ELBSecurityPolicy-TLS-1-2-Ext-2018-06

David Makogon
  • 69,407
  • 21
  • 141
  • 189
MrRyu
  • 1
  • 2
  • 1
    Wrong site. You're looking for [sf] instead. This site is for programming-related questions, not networking or server configuration. You can find more information in the [help]. – Ken White Feb 24 '23 at 01:50

0 Answers0