Logstash Question - Change snmp trap default port (1062 -> 162)

Tal1 · October 5, 2025, 4:41pm

Hello,
I’m new here, and i hope the solution will come from here

I’ve installed logstash 9.1.4 on my linux server (redhat 9.5) and i’m trying to change the logstash snmptrap listener from 1062 to 162 (which required root permissions)

so here is my setup (hope i’m not missing anything):
vim /etc/logstash/conf.d/snmptrap-pipeline.conf

input {
  snmptrap {
    community => "public"
    host => "0.0.0.0"
    port => 162
    type => "snmptrap"
    #yamlmibdir => "/var/snmp/mib2yaml/mib"
  }
}

filter {

}

output {
        file {
                path =>  "/tmp/snmptrap.log"
        }
}

vim /usr/lib/systemd/system/logstash.service

[Unit]
Description=logstash

[Service]
Type=simple
User=logstash #Tried with root as well
Group=logstash #Tried with root as well
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384
# When stopping, how long to wait before giving up and sending SIGKILL?
# Keep in mind that SIGKILL on a process can cause data loss.
TimeoutStopSec=infinity

[Install]
WantedBy=multi-user.target

and these are the logs:

tail -f /var/log/logstash/logstash-plain.log

[2025-10-05T19:05:59,093][ERROR][logstash.javapipeline ][snmptrap] Pipeline error {:pipeline_id=>"snmptrap", :exception=>"Java::JavaNet::BindException", :error=>"Permission denied", :stacktrace=>"sun.nio.ch.Net.bind0(Native Method)\nsun.nio.ch.Net.bind(sun/nio/ch/Net.java:565)\nsun.nio.ch.DatagramChannelImpl.bindInternal(sun/nio/ch/DatagramChannelImpl.java:1329)\nsun.nio.ch.DatagramChannelImpl.bind(sun/nio/ch/DatagramChannelImpl.java:1299)\nsun.nio.ch.DatagramSocketAdaptor.bind(sun/nio/ch/DatagramSocketAdaptor.java:108)\njava.net.DatagramSocket.createDelegate(java/net/DatagramSocket.java:1425)\njava.net.DatagramSocket.(java/net/DatagramSocket.java:328)\njava.net.DatagramSocket.(java/net/DatagramSocket.java:387)\norg.snmp4j.transport.DefaultUdpTransportMapping.(org/snmp4j/transport/DefaultUdpTransportMapping.java:105)\norg.logstash.snmp.SnmpClient.createTransport(org/logstash/snmp/SnmpClient.java:610)\norg.logstash.snmp.SnmpClient.createSnmpClient(org/logstash/snmp/SnmpClient.java:170)\norg.logstash.snmp.SnmpClient.(org/logstash/snmp/SnmpClient.java:136)\norg.logstash.snmp.SnmpClientBuilder.build(org/logstash/snmp/SnmpClientBuilder.java:105)\njdk.internal.reflect.DirectMethodHandleAccessor.invoke(jdk/internal/reflect/DirectMethodHandleAccessor.java:103)\njava.lang.reflect.Method.invoke(java/lang/reflect/Method.java:580)\norg.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:300)\norg.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:164)\nRUBY.build_snmp_client!(/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-integration-snmp-4.0.7-java/lib/logstash/plugin_mixins/snmp/common.rb:125)\nRUBY.build_client!(/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-integration-snmp-4.0.7-java/lib/logstash/inputs/snmptrap.rb:133)\nRUBY.register(/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-integration-snmp-4.0.7-java/lib/logstash/inputs/snmptrap.rb:91)\nRUBY.register(/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-mixin-ecs_compatibility_support-1.3.0-java/lib/logstash/plugin_mixins/ecs_compatibility_support/target_check.rb:48)\nRUBY.register_plugins(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:243)\norg.jruby.RubyArray.each(org/jruby/RubyArray.java:2009)\norg.jruby.RubyArray$INVOKER$i$0$0$each.call(org/jruby/RubyArray$INVOKER$i$0$0$each.gen)\nRUBY.register_plugins(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:242)\nRUBY.start_inputs(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:399)\nRUBY.start_workers(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:323)\nRUBY.run(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:196)\nRUBY.start(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:148)\norg.jruby.RubyProc.call(org/jruby/RubyProc.java:354)\njava.lang.Thread.run(java/lang/Thread.java:1583)", "pipeline.sources"=>["/etc/logstash/conf.d/snmptrap-pipeline.conf"], :thread=>"#<Thread:0x3f0e8f85 /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:138 run>"}

[2025-10-05T19:05:59,095][INFO ][logstash.javapipeline ][snmptrap] Pipeline terminated {"pipeline.id"=>"snmptrap"}

[2025-10-05T19:05:59,098][ERROR][logstash.agent ] Failed to execute action {:id=>:snmptrap, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}

when the port is changed to 1062 (which is the default) everything works just fine, however i dont want to change all my snmp traps in the organization to send them on port 1062.

hope someone will be able to assist me with the issue.

Thanks in advance!

Rios · October 5, 2025, 5:13pm

Welcome to the community

You can:

use:

User=root
Group=root

and restart the LS service

use non-root ports, >1023 in input-snmptrap, which you don't want to use
set port forwarding with iptables or similar

Tal1 · October 5, 2025, 5:17pm

Hello Rios
thank you for taking the time to read and reply, i found the solution 2 minutes ago and this is the solution (changing root:root) doesnt solve it, it’s being protected.

this is the solution:
it appears like there is a configuration in the yml file which you can update and make it work in port 162:

https://www.elastic.co/docs/release-notes/logstash/breaking-changes

Cannot run Logstash as `superuser` by default

We've changed the default behavior to prevent users from accidentally running Logstash as a superuser. If you try to run Logstash as a superuser, it logs an error and fails to start, ensuring that users cannot run Logstash with elevated privileges by accident.

You can change the value of the allow_superuser setting to true in logstash.yml if you want to restore the previous behavior and allow Logstash to run with superuser privileges. #16558

so simple, all that needed to be done is uncomment: allow_superuser: true
change in the logstash.service to run as root:root
and done!

Hope this will be helpful for other people who might came into that issue!

no extra features required!

Hope this will come handy to other people who might need that in the future!

Rios · October 5, 2025, 5:44pm

Yes, that's new from v9. Earlier versions are able to run as root.

Badger · October 5, 2025, 10:06pm

If you were running as root I would expect the error message

[2025-10-05T18:04:58,750][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<RuntimeError: Logstash cannot be run as superuser.>, :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/runner.rb:433:in `running_as_superuser'"

to be the first an only thing logstash logs.

Topic		Replies	Views
SNMP Trap listener died Logstash	3	1598	July 6, 2017
Logstash, SNMP don't receive traps Logstash	2	799	July 6, 2017
Problems starting logstash (snmptrap) Logstash	4	352	December 16, 2022
SNMPTrap not reading snmp traffic through logstash Logstash	12	4873	July 6, 2017
How to config logstash to listen privilage port without root access Logstash	2	1525	December 26, 2016

Logstash Question - Change snmp trap default port (1062 -> 162)

Related topics