Problems starting logstash (snmptrap)

Elastic Stack Logstash
1

Hello,
I have a problem starting logstash.
If I start logstash via "systemctl start logstash.service" I get the following error message:

[2022-11-17T18:11:59,947][WARN ][logstash.inputs.snmptrap ][main][eed358a3fbc6028b0f3e6330ddca60ef9da803f3401328b89fa1f198705010a9] SNMP Trap listener died {:exception=>#<Errno::EADDRINUSE: Address already in use - bind - Keine Berechtigungbind(2) for "192.168.150.21" port 162>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:544:in `initialize'", "org/jruby/RubyClass.java:911:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:590:in `create_transport'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/snmp-1.3.2/lib/snmp/manager.rb:622:in `initialize'", "org/jruby/RubyClass.java:911:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:95:in `build_trap_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:99:in `snmptrap_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-snmptrap-3.1.0/lib/logstash/inputs/snmptrap.rb:74:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}

If I start logstash like this "/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/02-snmp.conf" I don't get an error message and I see that the server is listening on port 162.

[INFO ] 2022-11-17 18:23:15.064 [[main]<snmptrap] snmptrap - It's a Trap! {:Port=>162, :Community=>["public"], :Host=>"192.168.150.21"}
[INFO ] 2022-11-17 18:23:15.160 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

I just don't understand.

2

When started as a service it is getting an error saying the address is already in use. If it does not do so when path.config points specifically to /etc/logstash/conf.d/02-snmp.conf then perhaps the service has path.config pointing to a directory and the directory contains more than one configuration file that has an snmp input. An 02-snmp.conf.backup perhaps.

3

I got that. Please allow me a question: "How can I configure logtash to use both input entries?

root@dsme01:/etc/logstash/conf.d# cat 02-snmp.conf.old 
input {
  snmptrap {
    type => "snmptrap"
    host => "192.168.150.21"
    port => 162
  }
}...

and

input {
  beats {
    host => "logstash.intern.harnet.de"
    port => 5044
    client_inactivity_timeout => "600"
    ssl => true
    ssl_certificate => "/etc/logstash/config/certs/logstash.intern.example.com.crt"
    ssl_key => "/etc/logstash/config/certs/logstash.intern.exemple.com.pkcs8.key"
  }
}...

Without an error message that the address is already in use?

4

Maybe the error is a little misleading?

If you are running Logstash as a service, I'm not sure that it will be able to bind to port 162 as this is a reserved port.

It may work when you run in the cli as the root user because the root can bind to that port.

Make a little test, change the port 162 in the snmptrap input to 1620 and see if it works.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.