TCP syslog output not working properly in logstash

Elastic Stack Logstash
1

We are using logstash for UDP & TCP syslog events receiving and forwarding. The input for TCP & UDP in logstash is working properly and receiving all the syslog events but TCP output syslog forwarding its not working properly, while forwarding syslog events to output it drops the event & hangs until next syslog event is sent. (This problem is random does not happens with each syslog event).

Below is the logstash.conf

input {

syslog {
port => 1468
}
udp {
port => 514
type => syslog
}
}

output {

syslog{
host => "10.140.190.105"
port => 1468
protocol => tcp
}
}

and below is the log TCP throws whenever it it drop an syslog events on just arrival of next syslog event.

[2017-11-23T07:30:46,801][WARN ][logstash.licensechecker.xpackinfo] Nil response from License Server
2017-11-23T07:30:51.021Z 10.140.190.105 <13>Nov 23 07:30:51 127.0.0.11
[2017-11-23T07:30:58,845][WARN ][logstash.outputs.syslog ] syslog tcp output exception: closing, reconnecting and resending event {:host=>"10.140.190.105", :port=>1468, :exception=>#<Errno::EPIPE: Broken pipe - Broken pipe>, :backtrace=>["org/jruby/RubyIO.java:1431:in write'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.3/lib/logstash/outputs/syslog.rb:178:inpublish'", "org/jruby/RubyProc.java:281:in call'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-plain-3.0.4/lib/logstash/codecs/plain.rb:41:inencode'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.3/lib/logstash/outputs/syslog.rb:147:in receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:inmulti_receive'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:92:inmulti_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/legacy.rb:22:in multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:49:inmulti_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:434:in output_batch'", "org/jruby/RubyHash.java:1342:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:433:in output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:381:inworker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:342:in `start_workers'"], :event=>2017-11-23T07:30:58.838Z 10.140.190.105 <13>Nov 23 07:30:58 127.0.0.11

Kindly suggest the solution.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.