Logstash Error "Error: Address already in use"

sandy6 · January 24, 2019, 12:25pm

Hi,
I have apache pipeline with multiple match patterns. Here is the code

input {
beats {
port => 5044
id => "apache-access"
}
}
filter {
if [fields][log] == "apache-access" {
grok {
match => [
"message", '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}',
"message", '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) (?:-|%{NUMBER:tosinsec:int}) (?:-|%{NUMBER:tosinmicrosec:int})'
]
}
}

When i run with "--config.test_and_exit" flag, it says "Config Validation Result: OK". But when i start logstash service i am seeing this error in logstash log file

Error: Address already in use
Exception: Java::JavaNet::BindException

sandy6 · January 24, 2019, 12:58pm

I am trying to write one pipeline to parse the below logs

127.0.0.1 - - [09/Nov/2018:10:58:28 +0530] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
127.0.0.1 - - [09/Nov/2018:10:58:28 +0530] "GET test.min.css HTTP/1.1" 200 19341 "http://127.0.0.1/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
127.0.0.1 - - [17/Jan/2019:11:43:26 +0530] "GET /theme/css/test.css HTTP/1.1" 200 1170 0 285
127.0.0.1 - - [17/Jan/2019:11:43:26 +0530] "GET /theme/css/test.css HTTP/1.1" 200 314 0 240

some logs have "referer & user-agent" and some doesn't have. Other logs have extra data like "time to serve in sec and milliseconds".

Please tell me how to write one pipeline with multiple matches to work for both types of logs.

Badger · January 24, 2019, 3:18pm

I would use dissect to do the initial parsing

    dissect { mapping => { "message" => '%{clientIP} - - [%{ts}] "%{method} %{uri} %{protocol}" %{status} %{something} %{restOfLine}' } }

Then use a grok with multiple patterns to do the rest

grok {
    match => {
        "restOfLine" => [
            "^%{INT:i1} %{INT:i2}",
            "^%{QS:referer} %{QS:useragent}"
        ]
    }
}

sandy6 · January 25, 2019, 4:38am

Thanks Badger. I will try your solution. Is there is anything wrong with my code?

system · February 22, 2019, 4:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash error on Raspberry Pi 4 running Ubuntu Server 20.04.2 Logstash	3	341	March 19, 2021
Filebeat error for port ERROR: Address already in use Logstash	2	285	July 18, 2023
Same pattern file gives pattern not define for only one pattern Logstash	2	415	July 2, 2018
Logstash not starting properly Logstash	13	6029	March 19, 2018
Javapipeline unrecoverable error - Logstash Logstash	3	960	October 8, 2019

Logstash Error "Error: Address already in use"

Related Topics