Syslog kills process in logstash

Hi Guy's!
I need your help with this problem, please.
Means that, syslog is killing the process in logstash, this means that it stops listening to syslog, I don't know why this is happening, the process stops working from one moment to another, it stops listening to syslog and doesn't send anything.

We aren't all guys :slight_smile:

How do you know this?
What do your Logstash logs show?

Sorry, Hi, everyone C:

my error is this:

Jun 09 09:56:10 srvefevmmar.efectivo.com.co logstash[136369]: [2021-06-09T09:56:10,686][INFO ][logstash.inputs.syslog   ][main][4d16c94ebf27367b9421ccad9f9f60f26fb87cb2e3d64d503364cc7f1b7f61e0] Starting syslog udp listener {:address=>"0.0.0.0:514"}




Jun 09 09:56:10 srvefevmmar.efectivo.com.co logstash[136369]: [2021-06-09T09:56:10,688][WARN ][logstash.inputs.syslog   ][main][4d16c94ebf27367b9421ccad9f9f60f26fb87cb2e3d64d503364cc7f1b7f61e0] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:216:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:191:in `udp_listener>/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-syslog-3.5.0/lib/logstash/inputs/syslog.rb:152:in `block in run'"]}

as you can see in the logstash status syslog tries to listen but then the process dies and comes back and tries to listen but then it kills the process again, I don't know if it's a bug, but when I run it without the (.conf), it works and doesn't stop the process. I don't know what it could be :confused:

So, your syslog input is not working, and not your syslog server that is killing the logstash process.

Your problem is this: #<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>

You are trying to bind the syslog input to the port 514, only the root user can run a process that bind to low ports, below 1024, but it is not recommended to run logstash as root.

You need to choose a port higher than 514, try to use 5514 for example.

If you have devices that can only send data to the port 514, then it is recommended that you use this port in the rsyslog server in your machine and redirect it to the logstash listening port.

ok, I understand, I will try and let you know, thank you very much.

I am looking about rsyslog and I have a question, I have to install the rsyslog agent and configure it with port 514, but how do I make it redirect to logstash in the syslog file that I already have?

i have the configuration in the rsyslog.conf so:

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

I have the tcp and udp modules active on port 514, but how do I redirect to logstash in my syslog file?

First you need to check if you really need to use rsyslog, maybe you do not even need it.

What is going to send logs to this syslog input in logstash? Network devices? Servers?

Check if you can configure the port to where the logs would be shipped, if it is possible, just use the port you set in your logstash input.

You would only need to use rsyslog listening in 514 if you have some old device where the syslog port is hardcoded to 514, if this is the case then you need it and you can redirect the logs to logstash.

This rsyslog question is out of the scope of this forum, I recommend that you read the rsyslog documentation that explains how to redirect to remote, which in your case would just be the same IP with a different port.

There are plenty of resources about rsyslog in the internet, the documentation is a pretty good start.

yes, I am monitoring network devices (SWITCHES), and they go only on port 514 so I need this resource, and send emergency or device error messages.