Logstash cant load

Hi,
we have a 5 nodes elasticsearch cluster running 5.2.0,
2 of the nodes are configured as client nodes (data=false, master=false),
3 nodes are elasticsearch cluster (data=true, master=true)

I install logstash in one of the 2 kibana servers, as follow:

groupadd logstash
useradd logstash -g logstash -d /home/logstash
cat /etc/passwd | grep logstash

vi /etc/sudoers
Add the following line :
logstash ALL=(ALL) NOPASSWD: ALL

cd /home/logstash
chown logstash:logstash logstash-5.2.0.rpm

passwd logstash

--> connect with logstash

sudo rpm --install logstash-5.2.0.rpm

sudo initctl start logstash

configured the IP of this server in the machine that send the syslog

config logstash.conf as follow:

input {
  tcp {
    port => 514
    type => syslog
  }
  udp {
    port => 514
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["10.10.10.10:9200"] }
}

getting this error:

[INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"0.0.0.0:514"}
[ERROR][logstash.agent           ] Pipeline aborted due to error {:exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:871:in `new'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:279:in `new_server_socket'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:89:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:358:in `start_inputs'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:357:in `start_inputs'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:233:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:188:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:302:in `start_pipeline'"]}
[INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[WARN ][logstash.agent           ] stopping pipeline {:id=>"main"}

Any idea?

Out of the box, non-privileged users like logstash can't bind to ports <1024. There are a few ways to work around this. Please search the archives here (and perhaps on Stackoverflow) for all the details.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.