Permission denied error while collecting logs from external ip

Elastic Stack Logstash
1

Hi,
I am trying to collect syslogs from a juniper router. I have configured the router to send logs to the IP where Logstash is running.
I have written the input config for Logstash as:

    input {
    syslog {
                type => "syslog"
                port => 514
              }
    }

I find these errors:

May 05 14:36:24 ubuntu logstash[7187]: [2020-05-05T14:36:24,423][INFO ][logstash.inputs.syslog ][main] Starting syslog tcp listener {:address=>"0.0.0.0:514"}

May 05 14:36:24 ubuntu logstash[7187]: [2020-05-05T14:36:24,425][WARN ][logstash.inputs.syslog ][main] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:213:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}

May 05 14:36:24 ubuntu logstash[7187]: [2020-05-05T14:36:24,428][WARN ][logstash.inputs.syslog ][main] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:133:in `initialize'", "org/jruby/RubyIO.java:878:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}
2

you need root permission to bind to port number lower than 1024. i suppose you run logstash with logstash user ?

3

So should i change the port number?

Sorry,I am new to networking :slight_smile:
How do i know if the logs are actually coming to the particular IP i have configured?

4

yes, change the port number higher than 1024, then configure your device to send the log to the port.

you can use tcpdump to check whether the log is coming

5

Hi,
I configured the router to send logs via port 31320.

Now when i run tcpdump in the server where logstash is running i get this.

15:20:00.973235 IP 10.216.131.17.514 > 10.216.133.193.514: SYSLOG cron.info, length: 84

15:20:00.973282 IP 10.216.133.193 > 10.216.131.17: ICMP 10.216.133.193 udp port 514 unreachable, length 120

15:20:00.973326 IP 10.216.131.17.514 > 10.216.133.193.514: SYSLOG cron.info, length: 84

15:20:00.973334 IP 10.216.133.193 > 10.216.131.17: ICMP 10.216.133.193 udp port 514 unreachable, length 120
6

have you run logstash on port 31320 as well?

7

Yeah i changed in the logstash too.

But this has nothing to do with logstash right?
The logs are not coming to that IP

8

of your config is correct, you can try to dump the logstash output to stdout. if not you will need to work out the syslog portion first

9

Hi,

can i run logstash as root?

So that i can listen to port 514

10

you can, though it’s generally not recommended. should there is vuln in logstash, exploiting the vuln will give the attacker root privileges.

if you have to use port 514, there are a couple of alternatives. you could run standard syslog on that forward and forward, have logstash listen on another port, then use syslog forwarding to forward incoming packets to your logstash instance. you can also use iptables for forwarding. there is also a utility called authbind that allows low privileged user to bind to privileged ports.