Hy there I recently lost all my data, and im trying to reintall all the logstash sistem i had before, the problem here is that I don't know if logstash is tacking packets from this ipaddress:
192.168.128.51
Especifications:
java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-8u171-b11-0ubuntu0.16.04.1-b11)
OpenJDK 64-Bit Server VM (build 25.171-b11, mixed mode)
logstash.yml Configuration (the rest are into the default things)
# ------------ Metrics Settings --------------
#
# Bind address for the metrics REST endpoint
#
http.host: "192.168.128.51"
#
# Bind port for the metrics REST endpoint, this option also accept a range
# (9600-9700) and logstash will pick up the first available ports.
#
# http.port: 9600-9700
#
# ------------ Debugging Settings --------------
#
# Options for log.level:
# * fatal
# * error
# * warn
# * info (default)
# * debug
# * trace
#
log.level: info
path.logs: /var/log/logstash
#
Configuration into /etc/logstash/conf.d/iput-output.conf
input {
tcp {
host => "192.168.128.51"
port => 5000
id => "input-1"
}
}
input {
udp {
host => "192.168.128.51"
port => 5000
id => "input-2"
}
}
output {
stdout { codec => rubydebug }
}
I have tried to look at /var/log/logstash but nothing seems to appear
Is Logstash running at all? It it listening to port 5000 (check with netstat)? Can you connect to that port? What happens if you send something to that port with e.g. netcat?
Thanks for your soon reply @magnusbaeck apparently its not listening (i just tleneted that port and its blocked) but im trying to open that port and i can't with the ufw rule hahaaha
@magnusbaeck ok I dunno what i have done but i can find some logs at /var/logs/logstash/logstash-plain.log but I dont know if it's taking pakets because it appears an error at some plugin
[2018-05-25T13:00:07,714][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"} [2018-05-25T13:00:07,750][INFO
][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"} [2018-05-25T13:00:07,861][INFO ][logstash.setting.writabledirectory] Creating directory
{:setting=>"path.queue", :path=>"/var/lib/logstash/queue"} [2018-05-25T13:00:07,869][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2018-05-25T13:00:08,915][INFO ][logstash.agent ] No persistent UUID file found. Generating new UUID {:uuid=>"a57e20e6-6e10-40a7-a4a5-58b40c2a0d5c", :path=>"/var/lib/logstash/uuid"} [2018-05-25T13:00:10,041][INFO
][logstash.runner ] Starting Logstash {"logstash.version"=>"6.2.4"} [2018-05-25T13:00:10,484][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>5000} [2018-05-25T13:00:11,847][INFO ][logstash.pipeline ]
Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50} [2018-05-25T13:00:11,914][INFO ][logstash.inputs.tcp ] Starting tcp input listener
{:address=>"192.168.128.51:5000", :ssl_enable=>"false"} [2018-05-25T13:00:12,380][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main",
:thread=>"#<Thread:0x162f76a0@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 sleep>"} [2018-05-25T13:00:12,404][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"192.168.128.51:5000"}
[2018-05-25T13:00:12,455][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
Pipeline_id:main
Plugin: <LogStash::Inputs::Tcp host=>"192.168.128.51", port=>5000, id=>"input-1", enable_metric=>true, codec=><LogStash::Codecs::Line id=>"line_a6338ac1-69c7-4a36-b8d5-080c81ac09e0", enable_metric=>true, charset=>"UTF-8", delimiter=>"$
Error: La dirección ya se está usando
Exception: Java::JavaNet::BindException
Stack: sun.nio.ch.Net.bind0(Native Method)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:433)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:425)
sun.nio.ch.ServerSocketChannelImpl.bind(sun/nio/ch/ServerSocketChannelImpl.java:223)
io.netty.channel.socket.nio.NioServerSocketChannel.doBind(io/netty/channel/socket/nio/NioServerSocketChannel.java:128)
io.netty.channel.AbstractChannel$AbstractUnsafe.bind(io/netty/channel/AbstractChannel.java:558)
io.netty.channel.DefaultChannelPipeline$HeadContext.bind(io/netty/channel/DefaultChannelPipeline.java:1283)
io.netty.channel.AbstractChannelHandlerContext.invokeBind(io/netty/channel/AbstractChannelHandlerContext.java:501)
io.netty.channel.AbstractChannelHandlerContext.bind(io/netty/channel/AbstractChannelHandlerContext.java:486)
io.netty.channel.DefaultChannelPipeline.bind(io/netty/channel/DefaultChannelPipeline.java:989)
io.netty.channel.AbstractChannel.bind(io/netty/channel/AbstractChannel.java:254)
io.netty.bootstrap.AbstractBootstrap$2.run(io/netty/bootstrap/AbstractBootstrap.java:364)
io.netty.util.concurrent.AbstractEventExecutor.safeExecute(io/netty/util/concurrent/AbstractEventExecutor.java:163)
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(io/netty/util/concurrent/SingleThreadEventExecutor.java:403)
io.netty.channel.nio.NioEventLoop.run(io/netty/channel/nio/NioEventLoop.java:463)
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(io/netty/util/concurrent/SingleThreadEventExecutor.java:858)
io.netty.util.concurrent.FastThreadLocalRunnable.run(io/netty/util/concurrent/FastThreadLocalRunnable.java:30)
java.lang.Thread.run(java/lang/Thread.java:748)
Logstash can't listen on 192.168.128.51:5000 because something's already listening there. Perhaps you already have a Logstash instance running? Or it's some other process. Use e.g. netstat to find which one.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.