Hi,
we have a 5 nodes elasticsearch cluster running 5.2.0,
2 of the nodes are configured as client nodes (data=false, master=false),
3 nodes are elasticsearch cluster (data=true, master=true)
I install logstash in one of the 2 kibana servers, as follow:
groupadd logstash
useradd logstash -g logstash -d /home/logstash
cat /etc/passwd | grep logstash
vi /etc/sudoers
Add the following line :
logstash ALL=(ALL) NOPASSWD: ALL
cd /home/logstash
chown logstash:logstash logstash-5.2.0.rpm
passwd logstash
--> connect with logstash
sudo rpm --install logstash-5.2.0.rpm
sudo initctl start logstash
configured the IP of this server in the machine that send the syslog
config logstash.conf as follow:
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["10.10.10.10:9200"] }
}
getting this error:
[INFO ][logstash.inputs.tcp ] Starting tcp input listener {:address=>"0.0.0.0:514"}
[ERROR][logstash.agent ] Pipeline aborted due to error {:exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:871:in `new'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:279:in `new_server_socket'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:89:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:358:in `start_inputs'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:357:in `start_inputs'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:233:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:188:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:302:in `start_pipeline'"]}
[INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[WARN ][logstash.agent ] stopping pipeline {:id=>"main"}
Any idea?