Logstash input error

agonex · January 2, 2018, 11:56pm

Hi I need help with a issue in logstash...

I am testing a version 6 ELK and i have problems with inputs, i triying add another input type multiline and logs say me that:

2018-01-02T21:09:28.628326533Z [2018-01-02T21:09:28,627][ERROR][logstash.pipeline ] A plugin had an unrecoverable error. Will restart this plugin.
2018-01-02T21:09:28.628390469Z Pipeline_id:main
2018-01-02T21:09:28.628398379Z Plugin: <LogStash::Inputs::Tcp type=>"was", port=>9600, codec=><LogStash::Codecs::Multiline pattern=>"^(?%{MONTHDAY}[-]%{MONTHNUM}[-]%{YEAR})", negate=>true, what=>"previous", id=>"447f483e-0e3b-41cf-96f0-b16d1b874311", enable_metric=>true, charset=>"UTF-8", multiline_tag=>"multiline", max_lines=>500, max_bytes=>10485760>, id=>"07609f794bfeb61aefd210cc70219f7d4ac2ccfff30195be338a2f1162290f58", enable_metric=>true, host=>"0.0.0.0", mode=>"server", proxy_protocol=>false, ssl_enable=>false, ssl_verify=>true, ssl_key_passphrase=>>
2018-01-02T21:09:28.628415582Z Error: Address already in use
2018-01-02T21:09:28.628421205Z Exception: Java::JavaNet::BindException
2018-01-02T21:09:28.628427222Z Stack: sun.nio.ch.Net.bind0(Native Method)
2018-01-02T21:09:28.628433353Z sun.nio.ch.Net.bind(sun/nio/ch/Net.java:433)
2018-01-02T21:09:28.628439652Z sun.nio.ch.Net.bind(sun/nio/ch/Net.java:425)
2018-01-02T21:09:28.628445743Z sun.nio.ch.ServerSocketChannelImpl.bind(sun/nio/ch/ServerSocketChannelImpl.java:223)
2018-01-02T21:09:28.628476785Z sun.nio.ch.ServerSocketAdaptor.bind(sun/nio/ch/ServerSocketAdaptor.java:74)

I configure a new input type: "was":

input{
tcp {
type => "microservices"
port => 9500
codec => multiline{
pattern => "^(?%{MONTHDAY}[-]%{MONTHNUM}[-]%{YEAR})|"
negate => true
what => "previous"
}
}
tcp {
type => "was"
port => 9600
codec => multiline{
pattern => "^(?%{MONTHDAY}[-]%{MONTHNUM}[-]%{YEAR})"
negate => true
what => "previous"
}
}
tcp {
type => "monitoring"
port => 18080
}

tcp {
type => "atla_services"
port => 9800
codec => "json"

}
}
filter {
if [type] == "microservices"{
grok {
match => { "message" => "(?%{MONTHDAY}[-]%{MONTHNUM}[-]%{YEAR})?|(?%{HOUR}:%{MINUTE}:%{SECOND})?|(%{NONNEGINT:sss})?|(%{GREEDYDATA:cic})?|(%{GREEDYDATA:idc})?|(%{UUID:sesUID})?|(%{UUID:trnUID})?|(%{NONNEGINT:opnNro})?|(%{NONNEGINT:opnNroHost})?|(%{IP:servIp})?|(%{HOSTNAME:servNom})?|(%{GREEDYDATA:class})?|(%{NONNEGINT:idClass})?|(%{LOGLEVEL:loglevel})?|(%{GREEDYDATA:namespace}) ?|(%{WORD:method})?|(%{GREEDYDATA:msgMicroservices})?"}
}
}
if [type] == "was"{
grok {
match => { "message" => "%{DATE:fecha_was}? %{TIME:hora_was}? [(%{GREEDYDATA:cic})?] [(%{GREEDYDATA:session})?] : [%{LOGLEVEL:loglevel}] (%{GREEDYDATA:namespace}) ? - %{GREEDYDATA:msgWas}?" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
if [type] == "atla_services"{
elasticsearch {
hosts => ["host01:9200","host01:9203", "host01:9204"]
user => elastic
password => changeme
index => "microservices-%{+YYYY.MM.dd}"

}
else {
elasticsearch {
hosts => ["host01:9200","host01:9203", "host01:9204"]
user => elastic
password => changeme
}
stdout {
codec => rubydebug
}
}
}

this configuration without "was" input and filter works fine.. What i do bad?

I Have only 1 logstash instance, the port 9600 in free to use logstash input...

suggestions?

I sorry for my bad english.. =)

magnusbaeck · January 3, 2018, 9:14pm

Logstash's monitoring API is already listening on port 9600. Either disable the monitoring API or pick another port.

agonex · January 4, 2018, 3:43pm

Thanks Magnus...

system · February 1, 2018, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.