How to bind port with Logstash service?

Hi,

I hope everyone is doing great. I am very new to ELK stack and deploying it on two virtual machines. One is for Logstash and the other is for Kibana and Elastic search.

OS is Windows Server 2012 R2. I am setting up the ELK stack on my Windows boxes by following this guide: https://www.ulyaoth.net/resources/tutorial-install-logstash-and-kibana-on-a-windows-server.34/

The only difference is that author has deployed stack on one machine but I am setting up two. Now, when I run the Logstash, it doesn't bind the port that is mention in logstash.conf, i.e. 5544.

I am using nxlog for logs forwarding. The machine where nxlog is installed throwing an error, i.e. "couldn't connect to tcp socket on 192.195.88.223:5544; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."

I ran portqry on my logstash server, it's not listening on port 5544.

What could be the problem or how to bind port to logstash?

What's your configuration? What's in the Logstash logs during startup? If it has problems binding to a port I'd expect there to be a big error message about that. Could there be a firewall blocking the access?

Thanks Magnus for prompt reply.

Here are the contents of logstash.conf:

input {
tcp {

port => 5544

}
}

output {
elasticsearch {
host => "192.195.88.229"
protocol => "http"
}
}

I have created a service using nssm with these parameters:

logstansh.bat agent -f c:/logstash/bin/logstash.conf

Moreover, How can I enable debug logging for logstash?

Start it with --verbose or --debug.

Is my conf file is okay? Sorry for stupid questions but I am very new to this stack. As a Windows admin, Linux stuff always freaks me out :slight_smile:

Yes, the config file looks okay but I suggest you use a systematic approach and temporarily skip the elasticsearch output in favor of a simple stdout output to verify that the input works and that the messages look reasonable. Add complexity gradually.

Hi Again,

It looks like, it's working. I have omit the full path while mentioning logstash.conf and it started working. Thanks a lot for your help. Now, I have question that how can ship logs to logstash using Windows Events subscription and group policy? Should I create new discussion for it?

Well, it's a different subject to please start a new topic.

Sure. Thanks.

Hi

I face an issue on my Logstash :

I receive this error message with nxlog :

2016-01-20 15:22:23 INFO connecting to x.x.x.x:5140
2016-01-20 15:22:24 INFO reconnecting in 200 seconds
2016-01-20 15:22:24 ERROR couldn't connect to tcp socket on x.x.x.x:5140; No connection could be made because the target machine actively refused it.

I obviously understand that the nothing is liseting on this port but how I can be sure my logstash is properly setup to lisen on this port 5140 ?

Here my conf :

input {
tcp {
port => 5140
type => "nxlog"
codec => line {
charset => "CP1252"
}
}
}

filter {
if [type] == "nxlog" {
json {
source => "message"
}
mutate {
rename => [ "Message", "message" ]
# remove_field => [ "champ1", "champ2" ]
}
}
}

output {
stdout { debug => true }
}

I understand your point use --verbose to see what s going on with logstash but for windows I have no clue how to use it... I try net stat logstash --verbose * but its not working.*

My setup:
Windows server 2012
nxlog
ELK (last binary) -> all running on the same server

Thank you.

@prbreezy—please start a new topic for your question.