Logstash udp input not working

Question

I am quite new to logstash but I've been spending quite some time in trying to get this right with no success. I am sending my logs from multiple applications on different server via udp to be logged. Here's the logstash configuration:

input{
  udp{
    port => 5960
    type => "log4net"
  }
}
filter {
  grok {
    match => ["message", "(?m)%{TIMESTAMP_ISO8601:sourceTimestamp}\s*%{WORD:System}\s*%{LOGLEVEL:logLevel}\s*-\s*%{WORD:logger}\s*-\s*%{NOTSPACE:source}\s*%{NOTSPACE:action}\s*%{UUID:transactionId}\s*%{GREEDYDATA:message}"]
  }
}
output {
  elasticsearch {
    protocol => "http"
    host => "[mylocalip]"
    port => "9200"
   }
  stdout { codec => rubydebug }
}

Unfortunately no message is logged. I checked and made sure that the port is available when I start logstash. I also configured properly the firewall to allow udp message via this port. When I tcpdump I can see the udp messages arriving. Additionally I tried another method of input (logs from nginx) and it works ok. What am I doing wrong?
ElasticSearch version-1.4
Logstash version - 1.5 (initially tried also with 1.4)
OS - CentOs 6.5
Java - OpenJDK Runtime Environment (rhel-2.5.5.1.el6_6-x86_64 u79-b14)

Answer 1

Most likely you miss route to the sender. If this is the case what happen is:

1. You receive packet that was sent to your logstash IP/port.
2. You see it in tcpdump, since it's network layer.
3. Then kernel tries to reach sender (even for UDP).
4. If there is no route it fails, and hence dropping UDP packet and you don't see it on app level.

Answer 2

1. Check logstash log to see what host it opens port on. Default is 0.0.0.0. Which will not be reached. Add "host" parameter in udp definition.
2. Use port check tool ( like qryport on Windows) to check whether port is actually listened.