Logstash plugin had an unrecoverable error. Will restart this plugin

Hello everyone, I need help

I tried using the Microsoft-sentinel plugin output logstash. but I get an error:
A plugin had an unrecoverable error. Will restart this plugin
Error: address already in use

I used two output plugins, one is the log analytics plugin, this one is working correctly, but the new plugin doesn't work.

I just checked another instance of logstash but I don't have

My file conf

input {
  tcp {
    port => 30050
      codec => "json"
        tags => "app1"
   beats {
     port => 5044
        tags => "app2"
filter {
   if "GC(" in [message] {
    drop { }
output {
        if "app1" in [tags]{
        microsoft-logstash-output-azure-loganalytics {
        workspace_id => "xxxxxxxxxxxxxxxxxxxxxx"
        workspace_key => "xxxxxxxxxxxxxxxxxxxxxx"
        custom_log_table_name => "app1"
        else if "app2" in [tags] {
         client_app_Id => "aaaaaaaaaaaaaaa"
         client_app_secret => "bbbbbbbbbbbbbbbbb"
         tenant_id => "1234567"
         data_collection_endpoint => "https://dce-endpoint"
         dcr_immutable_id => "dcr-asdasdsad"
         dcr_stream_name => "Custom-app2_CL"
         create_sample_file=> false
         sample_file_path => "c:\\temp"

Please share the log error from Logstash, it is not possible to know what could be the issue without the error log.

Thanks, Leandrojmp.


[2023-02-22T09:13:57,765][INFO ][logstash.outputs.azureloganalytics][main] Successfully posted 4 logs into custom log analytics table[appp1].
[2023-02-22T09:13:59,648][ERROR][logstash.javapipeline    ][main][684df08e40d65f75cbbc97ad9dd92eab16204f5016236bbea358aa5b6c8c6602] A plugin had an unrecoverable error. Will restart this plugin.
  Plugin: <LogStash::Inputs::Beats port=>5044, tags=>["app2"], id=>"21qwddasdsadasd", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_easdasdsadsada", enable_metric=>true, charset=>"UTF-8">, host=>"", ssl=>false, ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, ssl_cipher_suites=>["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], ssl_supported_protocols=>["TLSv1.2", "TLSv1.3"], client_inactivity_timeout=>60, executor_threads=>2, add_hostname=>false, tls_min_version=>1, tls_max_version=>1.3>
  Error: Address already in use
  Exception: Java::JavaNet::BindException

there's just one service using the port 5044
[root@CLP1234563 logstash]# netstat -an | grep 5044
tcp        0      0  *               LISTEN
tcp        0      0     ESTABLISHED
[root@CLP123456 logstash]# netstat -tulpn | grep 5044
tcp        0      0  *               LISTEN      6001/java
[root@CLP123456 logstash]#

Your issue is not with the output plugins, but with an input plugin.

Logstash could not bind the 5044 because something else was already using it.

How are you running logstash? Are you using pipelines.yml?

Thanks Leandro.

I execute bin/logstash - f /etc/logstash/conf.g/logstash.conf

In pipelines.yml there are only one path.config

So, you do not use Logstash as a service with systemctl? Are you sure that you do not have another instance running?

The error you got was pretty clear, some process in your system was already using the port 5044, the process with the pid 6001, there is not much to it, if this is not a Logstash, you need to check in your system what is listening on port 5044.

He leandrojmp
Thank you for your help
actually had 2 processes running logstash
after killing a process the plugin worked

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.