Filebeat cannot assign requested address

sulfred · February 3, 2022, 2:07am

I am trying to read the syslog information by filebeat. I have my filebeat installed in docker. I get error message

ERROR   [syslog]        syslog/input.go:150     Error starting the servererrorlisten tcp 192.168.1.142:514: bind: cannot assign requested address

Here is the config file filebeat.yml :

filebeat.inputs:
- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "192.168.1.142:514"


#========================== Elasticsearch output ===============================
output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}:9200"]
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

#============================== Kibana =========================================
setup.kibana:
  host: "${KIBANA_HOST}:5601"
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#================================== General ===================================
name: test_pc_ecs_log
tags: ["syslog"]

Here is /etc/rsyslog.conf

# provides UDP syslog reception                                                                                                                                                                        
module(load="imudp")
input(type="imudp" port="514")
 
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

I have checked the connection by and telnet are success:

netstat -4altunp | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1332/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 1332/rsyslogd

I am following the config example from filebeat input doc. I would like to ask if anyone set up filebeat for syslog reading.

Thanks

warkolm · February 3, 2022, 2:25am

Welcome to our community!

If rsyslog is already using that port, then nothing else can. Are you trying to replace rsyslog?

sulfred · February 3, 2022, 4:17am

Thank you so much @warkomn. It works. I am new to ELK stask and dev ops setup. Really appreciate for your help.

I updated my docker-compose.yml, adding port forwarding:

    ports:
      - "514:514/tcp"
      - "514:514/udp"

and updated the config file filebeat.yml:

filebeat.inputs:
- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:514"

#========================== Elasticsearch output ===============================
output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}:9200"]
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

#============================== Kibana =========================================
setup.kibana:
  host: "${KIBANA_HOST}:5601"
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

# ================================== General ===================================
name: home_pc_ecs_log
tags: ["syslog"]

Here is a follow up question. How can I get the syslog data from my pc?
Previously I created a logstash pipeline like this:

input {
  file {
    path => ["/var/log/syslog"]
    type => "syslog"
    start_position => "beginning"
  }

}

## Add your filters / logstash plugins configuration here
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      target => "syslog_timestamp"
    }
  }
}

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    user => "elastic"
    password => "changeme"
    ecs_compatibility => disabled
    index => "syslog_log"
  }
}

The pipeline works but I want to reuse the dashboard provided from elk, filebeat. Now, I setup the filebeat with:

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

But there seems no data pushing into the beat. I would like to ask how can I setup correctly for my test case? I want to achieve:

reuse dashboard provided from elk
get local pc log data for testing

warkolm · February 3, 2022, 5:53am

They likely won't work because you are using a different index name, but you aren't using ECS, which it also requires.

sulfred · February 3, 2022, 9:25am

May I ask what is the correct setup for this?
How can I get the data and use the dashboard shipped with the elk to monitor the information provided by syslog ?

Thanks

system · March 3, 2022, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat on local laptop does not talk to the Elasticsearch (also on local laptop) - dial tcp [::1]:9200: connect: cannot assign requested address Beats elastic-stack-security , docker , filebeat	7	1894	November 21, 2022
Unable to connect filebeat to elastic search host Beats docker , filebeat	3	316	March 23, 2023
Error: Cannot assign requested address (Docker) Logstash	3	7035	June 26, 2018
Filebeat + Netflow error: "bind: cannot assign requested address" Beats filebeat	4	2250	May 18, 2020
FileBeat to logstash via IPv6 - cannot assign requested address Beats filebeat	3	2867	November 28, 2019

Filebeat cannot assign requested address

Related Topics