Had this issue with a system, and found the problem was /tmp was mounted with noexec option.
Removing the noexec option and rebooting fixed the issue on my system.
It looks like logstash puts a copy of the libnetty-tcnative dynamic library so in /tmp and tries to load it from there which the noexec option blocks. Loading code from /tmp seems like a security risks.
EDIT: the code putting the library in TMP is in netty which is used by logstash.
EDIT 2: maybe the tmp path can be made more sane in logstash's jvm.options file by adding a line
-Dio.netty.native.workdir=some path