Logstash plugin had an unrecoverable error. Will restart this plugin

Vinicius_Carmo · February 22, 2023, 7:57pm

Hello everyone, I need help

I tried using the Microsoft-sentinel plugin output logstash. but I get an error:
A plugin had an unrecoverable error. Will restart this plugin
Error: address already in use

I used two output plugins, one is the log analytics plugin, this one is working correctly, but the new plugin doesn't work.

I just checked another instance of logstash but I don't have

My file conf

input {
  tcp {
    port => 30050
      codec => "json"
        tags => "app1"
  }
   beats {
     port => 5044
        tags => "app2"
  }
}
filter {
   if "GC(" in [message] {
    drop { }
  }
}
output {
        if "app1" in [tags]{
        microsoft-logstash-output-azure-loganalytics {
        workspace_id => "xxxxxxxxxxxxxxxxxxxxxx"
        workspace_key => "xxxxxxxxxxxxxxxxxxxxxx"
        custom_log_table_name => "app1"
}
}
        else if "app2" in [tags] {
         microsoft-sentinel-logstash-output-plugin{
         client_app_Id => "aaaaaaaaaaaaaaa"
         client_app_secret => "bbbbbbbbbbbbbbbbb"
         tenant_id => "1234567"
         data_collection_endpoint => "https://dce-endpoint"
         dcr_immutable_id => "dcr-asdasdsad"
         dcr_stream_name => "Custom-app2_CL"
         create_sample_file=> false
         sample_file_path => "c:\\temp"
}
}
}

leandrojmp · February 22, 2023, 8:06pm

Please share the log error from Logstash, it is not possible to know what could be the issue without the error log.

Vinicius_Carmo · February 22, 2023, 8:30pm

Thanks, Leandrojmp.

Send

[2023-02-22T09:13:57,765][INFO ][logstash.outputs.azureloganalytics][main] Successfully posted 4 logs into custom log analytics table[appp1].
[2023-02-22T09:13:59,648][ERROR][logstash.javapipeline    ][main][684df08e40d65f75cbbc97ad9dd92eab16204f5016236bbea358aa5b6c8c6602] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:main
  Plugin: <LogStash::Inputs::Beats port=>5044, tags=>["app2"], id=>"21qwddasdsadasd", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_easdasdsadsada", enable_metric=>true, charset=>"UTF-8">, host=>"0.0.0.0", ssl=>false, ssl_verify_mode=>"none", ssl_peer_metadata=>false, include_codec_tag=>true, ssl_handshake_timeout=>10000, ssl_cipher_suites=>["TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"], ssl_supported_protocols=>["TLSv1.2", "TLSv1.3"], client_inactivity_timeout=>60, executor_threads=>2, add_hostname=>false, tls_min_version=>1, tls_max_version=>1.3>
  Error: Address already in use
  Exception: Java::JavaNet::BindException

there's just one service using the port 5044
[root@CLP1234563 logstash]# netstat -an | grep 5044
tcp        0      0 0.0.0.0:5044            0.0.0.0:*               LISTEN
tcp        0      0 12.2.2.2:5044       1.1.1.1:53870     ESTABLISHED
[root@CLP123456 logstash]# netstat -tulpn | grep 5044
tcp        0      0 0.0.0.0:5044            0.0.0.0:*               LISTEN      6001/java
[root@CLP123456 logstash]#

leandrojmp · February 22, 2023, 8:33pm

Your issue is not with the output plugins, but with an input plugin.

Logstash could not bind the 5044 because something else was already using it.

How are you running logstash? Are you using pipelines.yml?

Vinicius_Carmo · February 22, 2023, 9:49pm

Thanks Leandro.

I execute bin/logstash - f /etc/logstash/conf.g/logstash.conf

In pipelines.yml there are only one path.config

leandrojmp · February 22, 2023, 10:02pm

So, you do not use Logstash as a service with systemctl? Are you sure that you do not have another instance running?

The error you got was pretty clear, some process in your system was already using the port 5044, the process with the pid 6001, there is not much to it, if this is not a Logstash, you need to check in your system what is listening on port 5044.

Vinicius_Carmo · February 24, 2023, 12:39pm

He leandrojmp
Thank you for your help
actually had 2 processes running logstash
after killing a process the plugin worked

system · March 24, 2023, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.