Logstash running but not listening on input port

Elastic Stack Logstash
1

Hi community,

I have a logstash pipeline, It works well when I start the pipeline with command line. But when start as a service , there is no input port listening even the service is running. Please have a look

This is my pipeline config

input {
  stdin { }
  syslog {
   port => 6140
  }
}


output {
  elasticsearch {
    hosts => ["http://172.19.11.74:9200"]
    user => "elastic"
    password => "changeme"
  }
 stdout { codec => rubydebug }
}

the input port listening when start with command line (port 6140)

[root@xplat-mon-02 logstash]# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      626/rpcbind         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1111/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1247/master                
tcp6       0      0 :::111                  :::*                    LISTEN      626/rpcbind         
tcp6       0      0 :::80                   :::*                    LISTEN      1016/httpd          
tcp6       0      0 :::22                   :::*                    LISTEN      1111/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1247/master         
tcp6       0      0 :::6140                 :::*                    LISTEN      5865/java           
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      5865/java           
udp        0      0 127.0.0.1:323           0.0.0.0:*                           623/chronyd         
udp        0      0 0.0.0.0:779             0.0.0.0:*                           626/rpcbind         
udp        0      0 0.0.0.0:6140            0.0.0.0:*                           5865/java           
udp        0      0 0.0.0.0:111             0.0.0.0:*                           626/rpcbind         
udp6       0      0 ::1:323                 :::*                                623/chronyd         
udp6       0      0 :::779                  :::*                                626/rpcbind         
udp6       0      0 :::111                  :::*                                626/rpcbind

And pipeline output data

logstash output pipeline
logstash output pipeline1919×852 141 KB

Logstash is active as a service

[root@xplat-mon-02 logstash]# systemctl start logstash
[root@xplat-mon-02 logstash]# systemctl status logstash
? logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2021-07-05 16:06:26 +07; 53s ago
 Main PID: 9897 (java)
   CGroup: /system.slice/logstash.service
           +-9897 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava....

Jul 05 16:06:26 xplat-mon-02 systemd[1]: Started logstash.
Jul 05 16:06:26 xplat-mon-02 logstash[9897]: Using bundled JDK: /usr/share/logstash/jdk
Jul 05 16:06:26 xplat-mon-02 logstash[9897]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be remov...e release.
Hint: Some lines were ellipsized, use -l to show in full.

But no input port listening

[root@xplat-mon-02 logstash]# netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1111/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1247/master               
tcp6       0      0 :::111                  :::*                    LISTEN      626/rpcbind         
tcp6       0      0 :::80                   :::*                    LISTEN      1016/httpd          
tcp6       0      0 :::22                   :::*                    LISTEN      1111/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1247/master         
udp        0      0 127.0.0.1:323           0.0.0.0:*                           623/chronyd         
udp        0      0 0.0.0.0:779             0.0.0.0:*                           626/rpcbind         
udp        0      0 0.0.0.0:111             0.0.0.0:*                           626/rpcbind         
udp6       0      0 ::1:323                 :::*                                623/chronyd         
udp6       0      0 :::779                  :::*                                626/rpcbind         
udp6       0      0 :::111                  :::*                                626/rpcbind

Thanks

2

I suspect you did not tell your pipeline.yml file where your actual configuration file that you wrote is as I do not see logstash saying that it started any pipelines in your log output.

Be sure to update the /etc/logstash/pipeline.yml file with the path to your pipeline configuration which is the same as supplying the -f flag when running logstash on its own.

# This file is where you define your pipelines. You can define multiple.
# For more information on multiple pipelines, see the documentation:
#   https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

- pipeline.id: sysloginput_6140
  path.config: "/etc/logstash/conf.d/sysloginput_6140/sysloginput.conf"
2 Likes
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.