Error in gathering syslogs from router

Hari_Krishna · April 20, 2020, 4:45am

  input {
    syslog {
        host => "10.216.123.213"
        type => "syslog"
      }
    }

exception=>#<Errno::EADDRNOTAVAIL: Cannot assign requested address - bind - Cannot assign requested address>, :backtrace=>["org/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:149:in udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in server'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:110:in `block in run'
exception=>#<Errno::EACCES: Permission denied

mdt · April 20, 2020, 5:56am

I'm pretty sure this is because the default port for syslog is UDP/514 and you are running Logstash as a non-privileged user. What we do is set up a non-standard port, like 10514, and send syslog traffic to that. Just add

port => 10514

and of course, modify the systems sending the logs so that they send to that port, and possibly add firewall rules on the Logstash system to allow inbound traffic to UDP/10514 from your sending systems.

I'm not sure if there is a way to start Logstash so that it starts up privileged, binds to a privileged port like 514, then releases its privileges.

Hari_Krishna · April 20, 2020, 6:21am

Hi,

input {
    syslog {
            host => "10.216.131.209"
            type => "syslog"
            port => 10514
          }
    }

I set the port number to 10514 but it still gives me the following warning

Apr 11 15:09:29 hari-VirtualBox logstash[20457]: [2020-04-11T15:09:29,496][INFO ][logstash.inputs.syslog   ][main] Starting syslog tcp listener {:address=>"10.216.131.209:10514"}
Apr 11 15:09:29 hari-VirtualBox logstash[20457]: [2020-04-11T15:09:29,499][WARN ][logstash.inputs.syslog   ][main] syslog listener died {:protocol=>:tcp, :address=>"10.216.131.209:10514", :exception=>#<Errno::EADDRNOTAVAIL: Cannot assign requested address - bind - Cannot assign requested address>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:127:in `initialize'", "org/jruby/RubyIO.java:878:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}

system · May 18, 2020, 6:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.