Logstash and NXLOG Config?

Elastic Stack Logstash
1

Im trying to configure NXLOG and Logstash to send info to the ELK Stack. Im having trouble setting it up, my error is:

:message=>"Pipeline aborted due to error", :exception=>#<Errno::EADDRINUSE: Address already in use - bind - Address already in use:

I've currently got Elasticsearch binded to a domain and port 9200 and kibana is on 5601. I've been tyring to set up nxlog to use 9200 aswell but this is the error.

The nxlog output config is:

Module om_tcp
Host elk.etechdc.local
Port 9200

the full config for logstash is:
input {
tcp {
host => "elk.etechdc.local"
port => 9200
codec => "json"
}
stdout { codec => rubydebug }
}
filter {
grok {
pattern => [ "<%{POSINT:syslog_pri}>(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp8601}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{@source_host}" ]
}

date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]

}

mutate {
    # Set source to what the message says
    rename => [ "Hostname", "@source_host" ]
}
mutate {
    # Rename some fields into something more useful
    rename => [ "Message", "@message" ]
    rename => [ "Severity", "eventlog_severity" ]
    rename => [ "SeverityValue", "eventlog_severity_code" ]
    rename => [ "Channel", "eventlog_channel" ]
    rename => [ "SourceName", "eventlog_program" ]
    rename => [ "SourceModuleName", "nxlog_input" ]
    rename => [ "Category", "eventlog_category" ]
    rename => [ "EventID", "eventlog_id" ]
    rename => [ "RecordNumber", "eventlog_record_number" ]
    rename => [ "ProcessID", "eventlog_pid" ]
}
mutate {
    # Remove redundant fields
    remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
    }
}

output {
elasticsearch {

hosts => "elk.etechdc.local"
}

}

2

Is that message from NXLog, Logstash or Elasticsearch?

So the data starts at NXLog. It then sends it off to elk.etechdc.local.
Logstash listens on host elk.etechdc.local, does some work on it, and then sends it off to elk.etechdc.local.

Are all 3 applications separate servers? Or are they all on the same server? It looks like they are all on the same server because you are using the same name on everything.

Try changing the NXLog and Logstash Input port. Pick something random like 9784. You also don't really need the host line. In fact I would remove it for troubleshooting purposes.

The overall process should be:

  1. NXLog sends data to the Logstash Host on port 9784.
  2. Logstash listens on port 9784.
  3. Logstash outputs data to the elasticsearch host.