Logstash not binding to port 5044

JamesMcManus · January 23, 2018, 12:02am

Hey everyone,

Been fiddling around getting ELK stack running over the last couple days but have had issues getting other machines on the local network to send filebeat logs to logstash due to port 5044 not listening.

I've managed to get Kibana dashboards set up and visualizing system logs, but am unable to get an SSL connection over 5044 due to Logstash not binding to the port.

Config files as below

**02-beats-input.conf**
input {
beats {
type => beats
host => "localhost"
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

**10-syslog-filter.conf**
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %
{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %
{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

**30-elasticsearch-output**
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

**filebeat.yml**
############################# Filebeat ######################################
filebeat:
  prospectors:
    -
      paths:
        - /var/log/auth*
        - /var/log/secure
        - /var/log/messages

      input_type: log
      document_type: syslog

############################# Output 
##########################################

output:

  ### Logstash as output
  logstash:
    # The Logstash hosts
    hosts: ["127.0.0.1:5044"]
    bulk_max_size: 1024

    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

magnusbaeck · January 23, 2018, 10:06am

Have you looked for clues in the Logstash log? What's the output of netstat -an | grep 5044?

JamesMcManus · January 24, 2018, 9:48pm

Had yesterday off so didn't check on here.

my results for netstat -an | grep 5044 are as below

tcp        0      0 192.168.10.21:56926     192.168.10.21:5044      FIN_WAIT2
tcp6       0      0 :::5044                 :::*                    LISTEN
tcp6      54      0 192.168.10.21:5044      192.168.10.21:56926     CLOSE_WAIT

I had a look at the logs and it seems to be having trouble hitting Elasticsearch, would this cause a failure to bind 5044?

{:timestamp=>"2018-01-25T03:37:57.576000+1100", :message=>"Cannot get new connection from 
pool.", :class=>"Elasticsearch::Transport::Transport::Error", :backtrace=>
["/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-
1.0.15/lib/elasticsearch/transport/transport/base.rb:193:in `perform_request'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-
1.0.15/lib/elasticsearch/transport/transport/http/manticore.rb:54:in `perform_request'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-
1.0.15/lib/elasticsearch/transport/transport/sniffer.rb:32:in `hosts'", 
"org/jruby/ext/timeout/Timeout.java:147:in `timeout'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-
1.0.15/lib/elasticsearch/transport/transport/sniffer.rb:31:in `hosts'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-
1.0.15/lib/elasticsearch/transport/transport/base.rb:76:in `reload_connections!'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-
java/lib/logstash/outputs/elasticsearch/http_client.rb:72:in `sniff!'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-
java/lib/logstash/outputs/elasticsearch/http_client.rb:60:in `start_sniffing!'", 
"org/jruby/ext/thread/Mutex.java:149:in `synchronize'", 
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-
java/lib/logstash/outputs/elasticsearch/http_client.rb:60:in `start_sniffing!'", 
"org/jruby/RubyKernel.java:1479:in `loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-
output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch/http_client.rb:59:in 
`start_sniffing!'"], :level=>:error}

magnusbaeck · January 25, 2018, 10:07am

If the pipeline has stalled because the outputs aren't processing messages then I believe the beats input will reject connections to apply backpressure, so yes, fix the ES problem first.

system · February 22, 2018, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not listening to 5044 Logstash	3	5034	July 29, 2021
Can't connect to Logstash port 5044 from Filebeat Logstash	1	481	November 26, 2020
Unable to listen on port 5044 for logstash Logstash	1	851	November 3, 2017
Logstash port 5044 is not listening Logstash	4	2423	December 7, 2017
ELK + Filebeat Elasticsearch	8	2294	April 5, 2018

Logstash not binding to port 5044

Related topics