Can't listen to syslog with Logstash

Elastic Stack Logstash
1

Hello, I've some problems to configure Logstash for listening to syslog that a server sends me. I configured the pipleline like this:
input {
syslog{
port => "514"
}
}
filter {
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}

And when I launch logstash I see that it successfully start listenning the port but then I receive this error:

[2018-02-09T10:45:46,093][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<NoMethodError: undefined method `<' for nil:NilClass>, :backtrace=>["C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:213:in `get_event_type'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:165:in `event_action_params'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:39:in `event_action_tuple'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:34:in `block in multi_receive'", "org/jruby/RubyArray.java:2486:in `map'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:34:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/output_delegator_strategies/shared.rb:13:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/output_delegator.rb:49:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:479:in `block in output_batch'", "org/jruby/RubyHash.java:1343:in `each'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:478:in `output_batch'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:430:in `worker_loop'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:385:in `block in start_workers'"]}
[2018-02-09T10:45:46,374][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: org.jruby.exceptions.RaiseException: (SystemExit) exit
[2018-02-09T10:45:46,406][WARN ][logstash.inputs.syslog   ] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<IOError: closed stream>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:157:in `accept'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.2.4/lib/logstash/inputs/syslog.rb:162:in `tcp_listener'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.2.4/lib/logstash/inputs/syslog.rb:122:in `server'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.2.4/lib/logstash/inputs/syslog.rb:106:in `block in run'"]}

I yet thank you for the future answer

2

Hello, try to update your INPUT SECTION, with this code :

INPUT SECTION

input {
udp {
port => 514
type => syslog
}
}

3

514 is a restricted port, so depending on which user Logstash is running as it may not be allowed to bind to it. It is not recommended to run Logstash as root, so you may be better off using a non-restricted port if possible.

4

Hello, I tried but still receiving this error:

[2018-02-09T11:18:40,122][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<NoMethodError: undefined method `<' for nil:NilClass>, :backtrace=>["C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:213:in `get_event_type'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:165:in `event_action_params'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:39:in `event_action_tuple'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:34:in `block in multi_receive'", "org/jruby/RubyArray.java:2486:in `map'", "C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/common.rb:34:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/output_delegator_strategies/shared.rb:13:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/output_delegator.rb:49:in `multi_receive'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:479:in `block in output_batch'", "org/jruby/RubyHash.java:1343:in `each'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:478:in `output_batch'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:430:in `worker_loop'", "C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:385:in `block in start_workers'"]}
[2018-02-09T11:18:40,371][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: org.jruby.exceptions.RaiseException: (SystemExit) exit
[2018-02-09T11:18:40,388][WARN ][logstash.inputs.udp      ] UDP listener died {:exception=>java.nio.channels.ClosedSelectorException, :backtrace=>["sun.nio.ch.SelectorImpl.keys(Unknown Source)", "org.jruby.util.io.SelectorPool.put(SelectorPool.java:88)", "org.jruby.util.io.SelectExecutor.selectEnd(SelectExecutor.java:59)", "org.jruby.util.io.SelectExecutor.go(SelectExecutor.java:44)", "org.jruby.RubyIO.select(RubyIO.java:3405)", "C_3a_.ProgramData.Elastic.Logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_input_minus_udp_minus_3_dot_2_dot_1.lib.logstash.inputs.udp.RUBY$method$udp_listener$0(C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb:106)", "C_3a_.ProgramData.Elastic.Logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_input_minus_udp_minus_3_dot_2_dot_1.lib.logstash.inputs.udp.RUBY$method$udp_listener$0$__VARARGS__(C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:77)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:93)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:145)", "C_3a_.ProgramData.Elastic.Logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_input_minus_udp_minus_3_dot_2_dot_1.lib.logstash.inputs.udp.RUBY$method$run$0(C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb:56)", "C_3a_.ProgramData.Elastic.Logstash.vendor.bundle.jruby.$2_dot_3_dot_0.gems.logstash_minus_input_minus_udp_minus_3_dot_2_dot_1.lib.logstash.inputs.udp.RUBY$method$run$0$__VARARGS__(C:/ProgramData/Elastic/Logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:77)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:93)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:145)", "C_3a_.ProgramData.Elastic.Logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$method$inputworker$0(C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:516)", "C_3a_.ProgramData.Elastic.Logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$method$inputworker$0$__VARARGS__(C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:77)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:93)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:145)", "C_3a_.ProgramData.Elastic.Logstash.logstash_minus_core.lib.logstash.pipeline.RUBY$block$start_input$1(C:/ProgramData/Elastic/Logstash/logstash-core/lib/logstash/pipeline.rb:509)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:145)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:71)", "org.jruby.runtime.Block.call(Block.java:124)", "org.jruby.RubyProc.call(RubyProc.java:289)", "org.jruby.RubyProc.call(RubyProc.java:246)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:104)", "java.lang.Thread.run(Unknown Source)"]}
5

I have actually no users using logstash, I just run it as admin. Is it really a big problem?

6

I have actually no users using logstash, I just run it as admin. Is it really a big problem?

Any service running as root and listening to the network is a liability. We can't tell whether that liability is acceptable to you.

You can work around it by redirecting the traffic with your firewall. Since privileged ports aren't unique to Logstash I'm sure there are many suggestions out there.

7

Since the server will not be accessible physically but with remote user and password needs, it not be a problem.

All I want is to listen the port 514 with logstash to send it to Elasticsearch.

Again, thank you for your answers

8

Ok, I think I'll pick another solution, I'll install a new server with rsyslog who'll send data to another one with logstash. It will better ! :slight_smile:

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.