Logstash ERROR: EADDRINUSE: Address already in use

Bruno_Dias · December 18, 2017, 2:36pm

Hello, I'm trying to direct the pfsense logs to elasticsearch, all the tutorials I've found use the UDP port 5140, my pfsense can send the logs to that server on that port, but the logstash at startup shows the error below:

Starting UDP listener {: address => "0.0.0.0:5140"}
UDP listener died {: exception => # <Errno :: EADDRINUSE: Address already in use

I already checked how many instances of logstash are running, I changed the port, but the error is always the same, any idea to solve this?

Logstash Version: 5.6.5
Elasticsearch Version: 5.6.5
Kibana Version: 5.6.5

magnusbaeck · December 18, 2017, 2:40pm

What does grep udp /etc/logstash/conf.d/* (or wherever you store your config files) result in? How about netstat -an | grep 5140 when Logstash isn't running?

Bruno_Dias · December 18, 2017, 2:56pm

root@logs:/# grep udp /etc/logstash/conf.d/*
/etc/logstash/conf.d/01-inputs.conf:#udp syslogs stream via 5140
/etc/logstash/conf.d/01-inputs.conf: udp {

root@logs:/# netstat -an | grep 5140
tcp 0 0 0.0.0.0:5140 0.0.0.0:* OUÇA
tcp6 0 0 :::5140 :::* OUÇA
udp 0 0 0.0.0.0:5140 0.0.0.0:*
udp6 0 0 :::5140 :::*

magnusbaeck · December 18, 2017, 3:06pm

Well, the netstat output shows that you have a process listening on that port. Run netstat -tulpn to get information about which process it is.

Bruno_Dias · December 18, 2017, 5:21pm

root@logs:/# netstat -tulpn
Conexões Internet Ativas (somente servidores)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name
tcp 0 0 0.0.0.0:5140 0.0.0.0:* OUÇA 1889/rsyslogd
tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 1061/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* OUÇA 1224/0
tcp 0 0 0.0.0.0:5601 0.0.0.0:* OUÇA 1431/node
tcp6 0 0 127.0.0.1:9200 :::* OUÇA 1300/java
tcp6 0 0 ::1:9200 :::* OUÇA 1300/java
tcp6 0 0 :::5140 :::* OUÇA 1889/rsyslogd
tcp6 0 0 127.0.0.1:9300 :::* OUÇA 1300/java
tcp6 0 0 ::1:9300 :::* OUÇA 1300/java
tcp6 0 0 :::22 :::* OUÇA 1061/sshd
tcp6 0 0 ::1:6010 :::* OUÇA 1224/0
udp 0 0 0.0.0.0:5140 0.0.0.0:* 1889/rsyslogd
udp6 0 0 :::5140 :::* 1889/rsyslogd

magnusbaeck · December 18, 2017, 6:43pm

Okay, so rsyslogd already hogs port 5140.

Bruno_Dias · December 19, 2017, 9:46am

if I change the logstash port to 5141 can I get the logs that are coming from pfsense to rsyslog on port 5140?

magnusbaeck · December 19, 2017, 9:55am

I suppose you could modify the rsyslog configuration to pass on the messages it receives to Logstash.

Bruno_Dias · December 20, 2017, 10:36am

Thanks for the help, I changed the logstash port and set up rsyslog to send the logs to logstash, it works fine

system · January 17, 2018, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.