How to bind port with Logstash service?

(Thy Fere) #1


I hope everyone is doing great. I am very new to ELK stack and deploying it on two virtual machines. One is for Logstash and the other is for Kibana and Elastic search.

OS is Windows Server 2012 R2. I am setting up the ELK stack on my Windows boxes by following this guide:

The only difference is that author has deployed stack on one machine but I am setting up two. Now, when I run the Logstash, it doesn't bind the port that is mention in logstash.conf, i.e. 5544.

I am using nxlog for logs forwarding. The machine where nxlog is installed throwing an error, i.e. "couldn't connect to tcp socket on; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."

I ran portqry on my logstash server, it's not listening on port 5544.

What could be the problem or how to bind port to logstash?

(Magnus Bäck) #2

What's your configuration? What's in the Logstash logs during startup? If it has problems binding to a port I'd expect there to be a big error message about that. Could there be a firewall blocking the access?

(Thy Fere) #3

Thanks Magnus for prompt reply.

Here are the contents of logstash.conf:

input {
tcp {

port => 5544


output {
elasticsearch {
host => ""
protocol => "http"

I have created a service using nssm with these parameters:

logstansh.bat agent -f c:/logstash/bin/logstash.conf

Moreover, How can I enable debug logging for logstash?

(Magnus Bäck) #4

Start it with --verbose or --debug.

(Thy Fere) #5

Is my conf file is okay? Sorry for stupid questions but I am very new to this stack. As a Windows admin, Linux stuff always freaks me out :slight_smile:

(Magnus Bäck) #6

Yes, the config file looks okay but I suggest you use a systematic approach and temporarily skip the elasticsearch output in favor of a simple stdout output to verify that the input works and that the messages look reasonable. Add complexity gradually.

(Thy Fere) #7

Hi Again,

It looks like, it's working. I have omit the full path while mentioning logstash.conf and it started working. Thanks a lot for your help. Now, I have question that how can ship logs to logstash using Windows Events subscription and group policy? Should I create new discussion for it?

(Magnus Bäck) #8

Well, it's a different subject to please start a new topic.

(Thy Fere) #9

Sure. Thanks.

(Prbreezy) #10


I face an issue on my Logstash :

I receive this error message with nxlog :

2016-01-20 15:22:23 INFO connecting to x.x.x.x:5140
2016-01-20 15:22:24 INFO reconnecting in 200 seconds
2016-01-20 15:22:24 ERROR couldn't connect to tcp socket on x.x.x.x:5140; No connection could be made because the target machine actively refused it.

I obviously understand that the nothing is liseting on this port but how I can be sure my logstash is properly setup to lisen on this port 5140 ?

Here my conf :

input {
tcp {
port => 5140
type => "nxlog"
codec => line {
charset => "CP1252"

filter {
if [type] == "nxlog" {
json {
source => "message"
mutate {
rename => [ "Message", "message" ]
# remove_field => [ "champ1", "champ2" ]

output {
stdout { debug => true }

I understand your point use --verbose to see what s going on with logstash but for windows I have no clue how to use it... I try net stat logstash --verbose * but its not working.*

My setup:
Windows server 2012
ELK (last binary) -> all running on the same server

Thank you.

(Magnus Bäck) #11

@prbreezy—please start a new topic for your question.

(system) #12