Filebeat cannot assign requested address

sulfred · February 3, 2022, 2:07am

I am trying to read the syslog information by filebeat. I have my filebeat installed in docker. I get error message

ERROR   [syslog]        syslog/input.go:150     Error starting the servererrorlisten tcp 192.168.1.142:514: bind: cannot assign requested address

Here is the config file filebeat.yml :

filebeat.inputs:
- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "192.168.1.142:514"


#========================== Elasticsearch output ===============================
output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}:9200"]
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

#============================== Kibana =========================================
setup.kibana:
  host: "${KIBANA_HOST}:5601"
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#================================== General ===================================
name: test_pc_ecs_log
tags: ["syslog"]

Here is /etc/rsyslog.conf

# provides UDP syslog reception                                                                                                                                                                        
module(load="imudp")
input(type="imudp" port="514")
 
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

I have checked the connection by and telnet are success:

netstat -4altunp | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1332/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 1332/rsyslogd

I am following the config example from filebeat input doc. I would like to ask if anyone set up filebeat for syslog reading.

Thanks

warkolm · February 3, 2022, 2:25am

Welcome to our community!

If rsyslog is already using that port, then nothing else can. Are you trying to replace rsyslog?

sulfred · February 3, 2022, 4:17am

Thank you so much @warkomn. It works. I am new to ELK stask and dev ops setup. Really appreciate for your help.

I updated my docker-compose.yml, adding port forwarding:

    ports:
      - "514:514/tcp"
      - "514:514/udp"

and updated the config file filebeat.yml:

filebeat.inputs:
- type: syslog
  format: rfc5424
  protocol.tcp:
    host: "localhost:514"

#========================== Elasticsearch output ===============================
output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}:9200"]
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

#============================== Kibana =========================================
setup.kibana:
  host: "${KIBANA_HOST}:5601"
  username: ${ELASTICSEARCH_USERNAME}
  password: ${ELASTICSEARCH_PASSWORD}

# ================================== General ===================================
name: home_pc_ecs_log
tags: ["syslog"]

Here is a follow up question. How can I get the syslog data from my pc?
Previously I created a logstash pipeline like this:

input {
  file {
    path => ["/var/log/syslog"]
    type => "syslog"
    start_position => "beginning"
  }

}

## Add your filters / logstash plugins configuration here
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      target => "syslog_timestamp"
    }
  }
}

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    user => "elastic"
    password => "changeme"
    ecs_compatibility => disabled
    index => "syslog_log"
  }
}

The pipeline works but I want to reuse the dashboard provided from elk, filebeat. Now, I setup the filebeat with:

#============================== Dashboards =====================================
setup.dashboards:
  enabled: true

But there seems no data pushing into the beat. I would like to ask how can I setup correctly for my test case? I want to achieve:

reuse dashboard provided from elk
get local pc log data for testing

warkolm · February 3, 2022, 5:53am

They likely won't work because you are using a different index name, but you aren't using ECS, which it also requires.

sulfred · February 3, 2022, 9:25am

May I ask what is the correct setup for this?
How can I get the data and use the dashboard shipped with the elk to monitor the information provided by syslog ?

Thanks

system · March 3, 2022, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.