Can't not bind listen port 5140 to logstash ubuntu 18.04

stephenb · October 6, 2019, 2:53pm

Also in my humble opinion separating the conf file into multiple conf files in the beginning or when you're trying to debug just makes it harder (example the actual line number with the error etc) ,
Logstash under the covers concatenates them all anyways. Is there other input sections... what is the output section?

to format the code... past it in highlight it then click the </> button

Basically you still have syntax errors...

Example I just ran the following and it worked fine, all 1 conf file.

#01-inputs.conf
input {
  udp {
  type => "syslog"
  port => 5140
  }
}

# 05-syslog.conf
filter {
  if [type] == "syslog" {
  #Adjust to match the IP address of pfSense or OPNSense
    if [host] =~ /192.168.1.1/ {
      mutate {
        add_tag => ["pf", "Ready"]
      }
      if "Ready" not in [tags] {
        mutate {
          add_tag => [ "syslog" ]
        }
      }
    }
  }
  if [type] == "syslog" {
    mutate {
      remove_tag => "Ready"
    }
  }
}

# Output section
output {
  stdout { codec => rubydebug }
}

Bubba_Shakes · October 6, 2019, 3:05pm

Here is the guide I followed:

In my /etc/logstash/conf.d I have the following:
guyp@ubuntu:/etc/logstash/conf.d$ ls -l
total 24
-rw-r--r-- 1 root root 72 Oct 6 10:07 01-inputs.conf
-rw-r--r-- 1 root root 452 Oct 6 10:08 05-syslog.conf
-rw-r--r-- 1 root root 577 Oct 4 23:49 10-pf.conf
-rw-r--r-- 1 root root 3475 Oct 4 23:49 11-firewall.conf
-rw-r--r-- 1 root root 133 Oct 4 23:49 50-outputs.conf
drwxr-xr-x 2 root root 4096 Oct 4 23:50 patterns

Thanks Stephen, how/what would I name the "1" config file in lieu of 01 and 05 for logstash? Or should I just correct the 01 and 05 config files and move on?

Also, is this version of Java compatible w/ logstash?

guyp@ubuntu:/etc/logstash/conf.d$ java -version
java version "12.0.2" 2019-07-16
Java(TM) SE Runtime Environment (build 12.0.2+10)
Java HotSpot(TM) 64-Bit Server VM (build 12.0.2+10, mixed mode, sharing)

Made the changes and still failed.

guyp@ubuntu:/var/log/logstash$ tail logstash-plain.log
[2019-10-06T10:10:04,803][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-10-06T10:10:09,881][INFO ][logstash.runner ] Logstash shut down.
[2019-10-06T10:10:31,104][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.4.0"}
[2019-10-06T10:10:32,905][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 40, column 28 (byte 609) after filter {\n if "pf" in [tags] {\n grok {\n match => [ "message" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2584:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:ininitialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:inblock in converge_state'"]}
[2019-10-06T10:10:33,181][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-10-06T10:10:38,061][INFO ][logstash.runner ] Logstash shut down.
[2019-10-06T10:11:00,270][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.4.0"}
[2019-10-06T10:11:02,582][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 40, column 28 (byte 609) after filter {\n if "pf" in [tags] {\n grok {\n match => [ "message" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2584:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:ininitialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:inblock in converge_state'"]}
[2019-10-06T10:11:02,874][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-10-06T10:11:07,946][INFO ][logstash.runner ] Logstash shut down.

Thanks

Bubba_Shakes · October 6, 2019, 4:01pm

Looks like logstash is receiving messages from my FW:

guyp@ubuntu:/etc/logstash/conf.d$ sudo systemctl status logstash.service
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-10-06 10:43:29 CDT; 16min ago
Main PID: 69342 (java)
Tasks: 31 (limit: 4649)
CGroup: /system.slice/logstash.service
└─69342 /usr/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.he

Oct 06 10:59:41 ubuntu logstash[69342]: {
Oct 06 10:59:41 ubuntu logstash[69342]: "@timestamp" => 2019-10-06T15:59:40.919Z,
Oct 06 10:59:41 ubuntu logstash[69342]: "message" => "<134>Oct 6 10:59:40 xxxx.xxxx.com filterlog: 76,,,0,xn0,match,pass,out,4,0x0
Oct 06 10:59:41 ubuntu logstash[69342]: "@version" => "1",
Oct 06 10:59:41 ubuntu logstash[69342]: "type" => "syslog",
Oct 06 10:59:41 ubuntu logstash[69342]: "tags" => [
Oct 06 10:59:41 ubuntu logstash[69342]: [0] "pf"
Oct 06 10:59:41 ubuntu logstash[69342]: ],
Oct 06 10:59:41 ubuntu logstash[69342]: "host" => "192.168.1.1"
Oct 06 10:59:41 ubuntu logstash[69342]: }

Bubba_Shakes · October 6, 2019, 4:17pm

This is the config file logstash is failing on:

Update: Following this thread I was able to address my issue.

Bubba_Shakes · October 6, 2019, 5:41pm

Thanks for all the feedback and assistance! This was a good learning experience for me!

system · November 3, 2019, 5:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.