How to config logstash to listen privilage port without root access


#1

I want to collect syslogs from cisco switch which will use UDP 514 to send syslogs.
I tried setcap command and port forwarding on firewall. But failed. I used following commands,

setcap -

setcap cap_net_bind_service=+epi /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2.x86_64/jre/bin/java
setcap cap_net_bind_service=+epi /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/jre/bin/java

Firewall commands -
firewall-cmd --permanent --add-forward-port=port=514:proto=tcp:toport=5514
firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=5514

what did I do wrong? is their any other way to achieve the same goal. Please help.

My Logstash conf file-

input {
beats {
port => 5000
type => "filebeat"
}
beats {
port => 5001
type => "winlogbeat"
}
syslog {
port => 514
type => "syslog"
}
}

Filebeat filter

filter {
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
#patterns_dir => "./patterns"

match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:servername1} %{IPORHOST:serverip} %{WORD:verb} %{NOTSPACE:request1} %{GREEDYDATA:request2} %{NUMBER:port} %{IPORHOST:clientip} %{NOTSPACE:protocol} %{NOTSPACE:querystring} %{IPORHOST:servername} %{NOTSPACE:agent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:sub_response} %{NUMBER:sc_status} %{NUMBER:responsetime}"}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
locale => "en"
}
}

Second filter

#filter {

if "_grokparsefailure" in [tags] {

} else {

# on success remove the message field to save space

mutate {

# remove_field => ["message", "timestamp", "servername", "servername1"]
#}

}

#}

output {
elasticsearch {
hosts => ["172.........:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}


#2

Any one any ideas???


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.