Logstash ERROR: EADDRINUSE: Address already in use

Elastic Stack Logstash
1

Hello, I'm trying to direct the pfsense logs to elasticsearch, all the tutorials I've found use the UDP port 5140, my pfsense can send the logs to that server on that port, but the logstash at startup shows the error below:

Starting UDP listener {: address => "0.0.0.0:5140"}
UDP listener died {: exception => # <Errno :: EADDRINUSE: Address already in use

I already checked how many instances of logstash are running, I changed the port, but the error is always the same, any idea to solve this?

Logstash Version: 5.6.5
Elasticsearch Version: 5.6.5
Kibana Version: 5.6.5

2

What does grep udp /etc/logstash/conf.d/* (or wherever you store your config files) result in? How about netstat -an | grep 5140 when Logstash isn't running?

3

root@logs:/# grep udp /etc/logstash/conf.d/*
/etc/logstash/conf.d/01-inputs.conf:#udp syslogs stream via 5140
/etc/logstash/conf.d/01-inputs.conf: udp {

root@logs:/# netstat -an | grep 5140
tcp 0 0 0.0.0.0:5140 0.0.0.0:* OUÇA
tcp6 0 0 :::5140 :::* OUÇA
udp 0 0 0.0.0.0:5140 0.0.0.0:*
udp6 0 0 :::5140 :::*

4

Well, the netstat output shows that you have a process listening on that port. Run netstat -tulpn to get information about which process it is.

5

root@logs:/# netstat -tulpn
Conexões Internet Ativas (somente servidores)
Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name
tcp 0 0 0.0.0.0:5140 0.0.0.0:* OUÇA 1889/rsyslogd
tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 1061/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* OUÇA 1224/0
tcp 0 0 0.0.0.0:5601 0.0.0.0:* OUÇA 1431/node
tcp6 0 0 127.0.0.1:9200 :::* OUÇA 1300/java
tcp6 0 0 ::1:9200 :::* OUÇA 1300/java
tcp6 0 0 :::5140 :::* OUÇA 1889/rsyslogd
tcp6 0 0 127.0.0.1:9300 :::* OUÇA 1300/java
tcp6 0 0 ::1:9300 :::* OUÇA 1300/java
tcp6 0 0 :::22 :::* OUÇA 1061/sshd
tcp6 0 0 ::1:6010 :::* OUÇA 1224/0
udp 0 0 0.0.0.0:5140 0.0.0.0:* 1889/rsyslogd
udp6 0 0 :::5140 :::* 1889/rsyslogd

6

Okay, so rsyslogd already hogs port 5140.

7

if I change the logstash port to 5141 can I get the logs that are coming from pfsense to rsyslog on port 5140?

8

I suppose you could modify the rsyslog configuration to pass on the messages it receives to Logstash.

9

Thanks for the help, I changed the logstash port and set up rsyslog to send the logs to logstash, it works fine :slight_smile:

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.