Logstash listening on 3515 and 514

I am trying to get logstash listening on 3515 and 514 so I can ship logs from my Windows client and Bro sensor. I am using CentOS 6.6. Any thoughts be awesome. I've been working on this for a few days.

Things I have done:

  • verified the system isn't listening using netstat -antup and netstat -ano
  • restarted ELK services
  • used netcat and see it open the port
  • Totally disabled iptables
  • disabled selinux
  • Checked Nxlog on windows system and it lists the below

2015-07-12 23:20:36 INFO connecting to
2015-07-12 23:20:57 INFO reconnecting in 32 seconds
2015-07-12 23:20:57 ERROR couldn't connect to tcp socket on; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

  • rechecked my config files in /etc/logstash/conf.d. Below are the input files. They are saved as separate files

3515 conf file

input {
tcp {
type => "WindowsEventLog"
port => "3515"
format => "json"
tags => [ "Windows" ]

514 conf file

input {
udp {
type => "syslog"
port => "514"

Just checking: You are running Logstash as root so that you're at all able to bind to port 514?

Thank you for your response. I use 'sudo service log stash start'. Is there another way to run it as Root?

No, sudo service logstash start only runs the service command as root. To change which user Logstash runs as, change the LS_USER variable in /etc/sysconfig/logstash. But please avoid running Logstash as root.

Is there any other way to use port 514 for Logstash without running it as root?! I was under assumption that yes, since the documentation just points out how to configure logstash.conf file to receive syslog messages and it's using port 514 as an example. Makes one think that there is a an easy way to do so.

Please advice,