I have set up a working ELK stack with input from winlogbeat. Now I want to add a second input for ingesting syslog logs from a switch. I configured my logstash to do so, but it still only listens on port 5044 after restarting. I have the logging level on DEBUG and there are no errors displayed. I just see that the second listener is not started. The output config works with beats and I did not change it. 'ss -tlpn' and 'netstat -luptn' show, that there is no socket with the port 514 as I would expect.
How are you starting Lostash? Are you running it as a service?
Ports lower than 1024 are privileged ports and reserved for the root user, if you are running Logstash as a service it will run as the logstash user, which cannot bind to this port and this will thrown an error.
Also, it is not recommended to run Logstash as a root, if you want to use port 514 you will need to use an iptables/firewall rule to forward connections into this port to a different port in the syslog input, 5514 for example or use setcap to allow the java process to bind to port 514, this blog post explains how to do it.
If the input is not running you will have an log about it but DEBUG level is pretty noise and can make you miss this log, this kind of error you can get without DEBUG, change your log level to INFO and start logstash again to get new logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
