Logstash not listening for second input

I have set up a working ELK stack with input from winlogbeat. Now I want to add a second input for ingesting syslog logs from a switch. I configured my logstash to do so, but it still only listens on port 5044 after restarting. I have the logging level on DEBUG and there are no errors displayed. I just see that the second listener is not started. The output config works with beats and I did not change it. 'ss -tlpn' and 'netstat -luptn' show, that there is no socket with the port 514 as I would expect.

Here is my input config:

Why is the second listener not starting?

How are you starting Lostash? Are you running it as a service?

Ports lower than 1024 are privileged ports and reserved for the root user, if you are running Logstash as a service it will run as the logstash user, which cannot bind to this port and this will thrown an error.

Also, it is not recommended to run Logstash as a root, if you want to use port 514 you will need to use an iptables/firewall rule to forward connections into this port to a different port in the syslog input, 5514 for example or use setcap to allow the java process to bind to port 514, this blog post explains how to do it.

If the input is not running you will have an log about it but DEBUG level is pretty noise and can make you miss this log, this kind of error you can get without DEBUG, change your log level to INFO and start logstash again to get new logs.

Thank you very much, I made it work using the Linux Capability for java as shown in the blog post you mentioned.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.