I tried using the Microsoft-sentinel plugin output logstash. but I get an error:
A plugin had an unrecoverable error. Will restart this plugin
Error: address already in use
I used two output plugins, one is the log analytics plugin, this one is working correctly, but the new plugin doesn't work.
I just checked another instance of logstash but I don't have
My file conf
input {
tcp {
port => 30050
codec => "json"
tags => "app1"
}
beats {
port => 5044
tags => "app2"
}
}
filter {
if "GC(" in [message] {
drop { }
}
}
output {
if "app1" in [tags]{
microsoft-logstash-output-azure-loganalytics {
workspace_id => "xxxxxxxxxxxxxxxxxxxxxx"
workspace_key => "xxxxxxxxxxxxxxxxxxxxxx"
custom_log_table_name => "app1"
}
}
else if "app2" in [tags] {
microsoft-sentinel-logstash-output-plugin{
client_app_Id => "aaaaaaaaaaaaaaa"
client_app_secret => "bbbbbbbbbbbbbbbbb"
tenant_id => "1234567"
data_collection_endpoint => "https://dce-endpoint"
dcr_immutable_id => "dcr-asdasdsad"
dcr_stream_name => "Custom-app2_CL"
create_sample_file=> false
sample_file_path => "c:\\temp"
}
}
}
So, you do not use Logstash as a service with systemctl? Are you sure that you do not have another instance running?
The error you got was pretty clear, some process in your system was already using the port 5044, the process with the pid 6001, there is not much to it, if this is not a Logstash, you need to check in your system what is listening on port 5044.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.