I want to Install Logstash in EC2 Linux UBUNTU 22.04 and want to run Syslog input Configuration but facing ERROR

I Followed this URL:

Installing Logstash | Logstash Reference [7.14] | Elastic

APT one I followed.

Then after the Installation I set the path of bin in Environment variable using below command.

1- Location of logstash in UBUNTU:

	cd /usr/share/logstash -- here you can see logstash file.

2- Set Bin path to enviroment:

	echo 'export PATH=$PATH:/usr/share/logstash/bin' >> ~/.bashrc
	
	source ~/.bashrc

Then I created a Conf. file inside bin and then run logstash -f <filename>.conf --config.test_and_exit that Conf. file It is giving below error:

image1813×554 278 KB

You need to run logstash as the logstash user and you also need to use the path.settings parameter to tell the binary where the settings file are.

Try the following:

sudo -u logstash /usr/share/logstash/bin/logstash -f /path/to/your.conf --path.settings="/etc/logstash" --config.test_and_exit

I successfully able to do setup when I am running my configuration using SYSLOG input plugin it is giving below error:

[2024-01-09T05:57:29,726][WARN ][logstash.inputs.syslog   ][main][23661f886619ae58c9e40cd1e34ee10ecb939617186e5d173e5b3f2a673089a0] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:210:in `bind'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:191:in `udp_listener'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:152:in `block in run'"]}
[2024-01-09T05:57:34,682][INFO ][logstash.inputs.syslog   ][main][23661f886619ae58c9e40cd1e34ee10ecb939617186e5d173e5b3f2a673089a0] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2024-01-09T05:57:34,686][WARN ][logstash.inputs.syslog   ][main][23661f886619ae58c9e40cd1e34ee10ecb939617186e5d173e5b3f2a673089a0] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:129:in `initialize'", "org/jruby/RubyIO.java:876:in `new'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:208:in `tcp_listener'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:156:in `block in run'"]}
[2024-01-09T05:57:34,726][INFO ][logstash.inputs.syslog   ][main][23661f886619ae58c9e40cd1e34ee10ecb939617186e5d173e5b3f2a673089a0] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2024-01-09T05:57:34,727][WARN ][logstash.inputs.syslog   ][main][23661f886619ae58c9e40cd1e34ee10ecb939617186e5d173e5b3f2a673089a0] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:210:in `bind'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:191:in `udp_listener'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/home/ubuntu/logstash-7.14/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:152:in `block in run'"]}

You need to change the port, ports below 1024 are reserved for the root user and Logstash does not run as root.

Choose a higher port number like 5514.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.