Logstash Error "Error: Address already in use"

sandy6 · January 24, 2019, 12:25pm

Hi,
I have apache pipeline with multiple match patterns. Here is the code

input {
beats {
port => 5044
id => "apache-access"
}
}
filter {
if [fields][log] == "apache-access" {
grok {
match => [
"message", '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}',
"message", '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) (?:-|%{NUMBER:tosinsec:int}) (?:-|%{NUMBER:tosinmicrosec:int})'
]
}
}

When i run with "--config.test_and_exit" flag, it says "Config Validation Result: OK". But when i start logstash service i am seeing this error in logstash log file

Error: Address already in use
Exception: Java::JavaNet::BindException

sandy6 · January 24, 2019, 12:58pm

I am trying to write one pipeline to parse the below logs

127.0.0.1 - - [09/Nov/2018:10:58:28 +0530] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
127.0.0.1 - - [09/Nov/2018:10:58:28 +0530] "GET test.min.css HTTP/1.1" 200 19341 "http://127.0.0.1/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
127.0.0.1 - - [17/Jan/2019:11:43:26 +0530] "GET /theme/css/test.css HTTP/1.1" 200 1170 0 285
127.0.0.1 - - [17/Jan/2019:11:43:26 +0530] "GET /theme/css/test.css HTTP/1.1" 200 314 0 240

some logs have "referer & user-agent" and some doesn't have. Other logs have extra data like "time to serve in sec and milliseconds".

Please tell me how to write one pipeline with multiple matches to work for both types of logs.

Badger · January 24, 2019, 3:18pm

I would use dissect to do the initial parsing

    dissect { mapping => { "message" => '%{clientIP} - - [%{ts}] "%{method} %{uri} %{protocol}" %{status} %{something} %{restOfLine}' } }

Then use a grok with multiple patterns to do the rest

grok {
    match => {
        "restOfLine" => [
            "^%{INT:i1} %{INT:i2}",
            "^%{QS:referer} %{QS:useragent}"
        ]
    }
}

sandy6 · January 25, 2019, 4:38am

Thanks Badger. I will try your solution. Is there is anything wrong with my code?

system · February 22, 2019, 4:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Error: Address already in use Logstash	3	2297	January 4, 2018
Logstash 5044 address already in use Logstash	2	2007	February 22, 2020
Already used ports Logstash	2	509	October 12, 2018
Logstash Error: address already in use issue Logstash	1	318	February 6, 2019
Logstash gives error "Error: Address already in use" when ingesting filebeat with two inputs Logstash	1	2037	April 30, 2020

Logstash Error "Error: Address already in use"

Related topics