Logstash cant load


(talia) #1

Hi,
we have a 5 nodes elasticsearch cluster running 5.2.0,
2 of the nodes are configured as client nodes (data=false, master=false),
3 nodes are elasticsearch cluster (data=true, master=true)

I install logstash in one of the 2 kibana servers, as follow:

groupadd logstash
useradd logstash -g logstash -d /home/logstash
cat /etc/passwd | grep logstash

vi /etc/sudoers
Add the following line :
logstash ALL=(ALL) NOPASSWD: ALL

cd /home/logstash
chown logstash:logstash logstash-5.2.0.rpm

passwd logstash

--> connect with logstash

sudo rpm --install logstash-5.2.0.rpm

sudo initctl start logstash

configured the IP of this server in the machine that send the syslog

config logstash.conf as follow:

input {
  tcp {
    port => 514
    type => syslog
  }
  udp {
    port => 514
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["10.10.10.10:9200"] }
}

getting this error:

[INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"0.0.0.0:514"}
[ERROR][logstash.agent           ] Pipeline aborted due to error {:exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:871:in `new'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:279:in `new_server_socket'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-4.1.0/lib/logstash/inputs/tcp.rb:89:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:358:in `start_inputs'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:357:in `start_inputs'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:233:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:188:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:302:in `start_pipeline'"]}
[INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[WARN ][logstash.agent           ] stopping pipeline {:id=>"main"}

Any idea?


(Magnus B├Ąck) #2

Out of the box, non-privileged users like logstash can't bind to ports <1024. There are a few ways to work around this. Please search the archives here (and perhaps on Stackoverflow) for all the details.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.