Problems starting logstash (snmptrap)

I have a problem starting logstash.
If I start logstash via "systemctl start logstash.service" I get the following error message:

[2022-11-17T18:11:59,947][WARN ][logstash.inputs.snmptrap ][main][eed358a3fbc6028b0f3e6330ddca60ef9da803f3401328b89fa1f198705010a9] SNMP Trap listener died {:exception=>#<Errno::EADDRINUSE: Address already in use - bind - Keine Berechtigungbind(2) for "" port 162>, :backtrace=>["org/jruby/ext/socket/ `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:544:in `initialize'", "org/jruby/ `new'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:590:in `create_transport'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:622:in `initialize'", "org/jruby/ `new'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:95:in `build_trap_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:99:in `snmptrap_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:74:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}

If I start logstash like this "/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/02-snmp.conf" I don't get an error message and I see that the server is listening on port 162.

[INFO ] 2022-11-17 18:23:15.064 [[main]<snmptrap] snmptrap - It's a Trap! {:Port=>162, :Community=>["public"], :Host=>""}
[INFO ] 2022-11-17 18:23:15.160 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

I just don't understand.

When started as a service it is getting an error saying the address is already in use. If it does not do so when path.config points specifically to /etc/logstash/conf.d/02-snmp.conf then perhaps the service has path.config pointing to a directory and the directory contains more than one configuration file that has an snmp input. An 02-snmp.conf.backup perhaps.

I got that. Please allow me a question: "How can I configure logtash to use both input entries?

root@dsme01:/etc/logstash/conf.d# cat 02-snmp.conf.old 
input {
  snmptrap {
    type => "snmptrap"
    host => ""
    port => 162


input {
  beats {
    host => ""
    port => 5044
    client_inactivity_timeout => "600"
    ssl => true
    ssl_certificate => "/etc/logstash/config/certs/"
    ssl_key => "/etc/logstash/config/certs/"

Without an error message that the address is already in use?

Maybe the error is a little misleading?

If you are running Logstash as a service, I'm not sure that it will be able to bind to port 162 as this is a reserved port.

It may work when you run in the cli as the root user because the root can bind to that port.

Make a little test, change the port 162 in the snmptrap input to 1620 and see if it works.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.