TCP Plugin Input Permission Denied

CDR · April 12, 2018, 3:36am

So I have seen a variety of these errors on the forum but have not really been able to figure this out for my case.

I am running Elastic stack on a Linux machine. When I try to start Logstash I get the following logs:

[2018-04-11T22:21:51,730][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"127.0.0.1:514", :ssl_enable=>"false"}
[2018-04-11T22:21:52,025][INFO ][logstash.pipeline        ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x5b444a44 run>"}
[2018-04-11T22:21:52,155][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"127.0.0.1:514"}
[2018-04-11T22:21:52,209][ERROR][logstash.pipeline        ] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:main
  Plugin: <LogStash::Inputs::Tcp host=>"127.0.0.1", port=>514, id=>"100e84a2ce47ebc6ae315de763e0b1841b45be73e990b47ee8784e223a339d5c", enable_metric=>true, codec=><LogStash::Codecs::Line id=>"line_15eff014-821d-40af-ad0b-d46ad2445276", enable_metric=>true, charset=>"UTF-8", delimiter=>"\n">, mode=>"server", proxy_protocol=>false, ssl_enable=>false, ssl_verify=>true, ssl_key_passphrase=><password>>
  Error: Permission denied
  Exception: Java::JavaNet::SocketException
  Stack: sun.nio.ch.Net.bind0(Native Method)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:433)
sun.nio.ch.Net.bind(sun/nio/ch/Net.java:425)
sun.nio.ch.ServerSocketChannelImpl.bind(sun/nio/ch/ServerSocketChannelImpl.java:223)
sun.nio.ch.ServerSocketAdaptor.bind(sun/nio/ch/ServerSocketAdaptor.java:74)
io.netty.channel.socket.nio.NioServerSocketChannel.doBind(io/netty/channel/socket/nio/NioServerSocketChannel.java:125)
io.netty.channel.AbstractChannel$AbstractUnsafe.bind(io/netty/channel/AbstractChannel.java:554)
io.netty.channel.DefaultChannelPipeline$HeadContext.bind(io/netty/channel/DefaultChannelPipeline.java:1258)
io.netty.channel.AbstractChannelHandlerContext.invokeBind(io/netty/channel/AbstractChannelHandlerContext.java:511)
io.netty.channel.AbstractChannelHandlerContext.bind(io/netty/channel/AbstractChannelHandlerContext.java:496)
io.netty.channel.DefaultChannelPipeline.bind(io/netty/channel/DefaultChannelPipeline.java:980)
io.netty.channel.AbstractChannel.bind(io/netty/channel/AbstractChannel.java:250)
io.netty.bootstrap.AbstractBootstrap$2.run(io/netty/bootstrap/AbstractBootstrap.java:363)
io.netty.util.concurrent.SingleThreadEventExecutor.safeExecute(io/netty/util/concurrent/SingleThreadEventExecutor.java:451)
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(io/netty/util/concurrent/SingleThreadEventExecutor.java:418)
io.netty.channel.nio.NioEventLoop.run(io/netty/channel/nio/NioEventLoop.java:401)
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(io/netty/util/concurrent/SingleThreadEventExecutor.java:877)
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(io/netty/util/concurrent/DefaultThreadFactory.java:144)
java.lang.Thread.run(java/lang/Thread.java:748)
[2018-04-11T22:21:52,214][WARN ][logstash.inputs.udp      ] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "127.0.0.1" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", "/opt/project/ELK/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb:95:in `udp_listener'", "/opt/project/ELK/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.2.1/lib/logstash/inputs/udp.rb:56:in `run'", "/opt/project/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:516:in `inputworker'", "/opt/project/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:509:in `block in start_input'"]}
[2018-04-11T22:21:52,262][INFO ][logstash.agent           ] Pipelines running {:count=>1, :pipelines=>["main"]}

Does this mean that I need to change my firewall settings? I am kind of at a loss. My logstash.conf file looks like this:

input{
tcp{
host => "127.0.0.1"
port => 514
}
udp{
host => "127.0.0.1"
port => 514
}
}
filter{
grok{
match => {"message" => [#groks aren't the issue#]
}
}
}
output{
if "_grokparsefailure" not in [tags]{
elasticsearch{
index => "sys-"
document_type => "syslog"
hosts => ["http://127.0.0.1:9200"] #x.x.x.x is IP address of server
}
}
else{
file{
path => "/opt/project/ELK/syslog_fails.txt"
}
}
}

Thanks!

yaauie · April 12, 2018, 3:39am

On most Linux installations, the ports up to 1024 require privileged access in order to bind to. You may need to set a rule to allow the logstash user to bind that port.

yaauie · April 12, 2018, 3:42am

See also: Issue in Logstash after Upgrade

CDR · April 17, 2018, 12:06pm

Thank you. This seems to be my issue. In the link provided it has me run the command:

patchelf --set-rpath <JAVA_HOME>/jre/lib/amd64/jli <JAVA_HOME>/jre/bin/java

To change the java dynamic library loading strategy. I do not have patchelf on the server so I cannot run this command. Do you know if there is another way to set this?

Thanks!

yaauie · April 17, 2018, 5:11pm

I'm not sure where you got patchelf as a solution from my suggestions; it appears to be unrelated; I'll quote the post I previously linked to below:

CDR · April 19, 2018, 1:15am

In the article that is in your quote above the link at:
https://blogs.oracle.com/sduloutr/binding-a-server-to-privileged-port-on-linux-wo-running-as-root
Is used as an example using setcap to set capabilities for Java. One of the commands given in the article is the one I mentioned above.

system · May 17, 2018, 1:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.