UDP listener died

nzHillNet · June 28, 2015, 12:11am

Hi,

Logstash version 1.5.1, Elasticsearch vesion 1.6

My ddwrt based switches can only send logs over UDP port 514.

I cannot get this to work, and continually get the following error:

{:timestamp=>"2015-06-28T11:56:22.898000+1200", :message=>"UDP listener died", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-0.1.4/lib/logstash/inputs/udp.rb:68:in `udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-0.1.4/lib/logstash/inputs/udp.rb:49:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.1-java/lib/logstash/pipeline.rb:176:in `inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.1-java/lib/logstash/pipeline.rb:170:in `start_input'"], :level=>:warn}

At first I did have the port already in use, but that is not the case now:

netstat -an|grep 514
tcp        0      0 192.168.0.10:1514       0.0.0.0:*               LISTEN     
tcp        0      0 192.168.0.10:1514       192.168.0.10:46149      ESTABLISHED
tcp        0      0 192.168.0.10:46149      192.168.0.10:1514       ESTABLISHED
unix  3      [ ]         STREAM     CONNECTED     16514

My logstash input statement is simply:

input {
  tcp {
    host => "hillnet"
    port => 1514
    type => "syslog"
  }
  tcp {
    host => "hillnet"
    port => 1515
    type => "synology"
  }
  udp {
    port => 514
    type => "ddwrt"
  }
}

I have googled, but cannot find an answer. Any help would be appreciated.

eperry · June 28, 2015, 8:26pm

Just to cover the basics

You need to start logstash as root as 514 is a protected port (/etc/sysconfig/logstash LS_USER=root)
try netstat -nlu to see udp ports listening (though your command would probably be sufficient)
Even though the host option is optional try setting it

nzHillNet · June 29, 2015, 8:40am

Hi,

Perfect, it was the protected port issue......I had read about that but for some reason didn't "connect the dots".

Really appreciate the quick, accurate, advice.

--
Roland

ichandan16 · January 29, 2016, 12:39pm

I am running on udp port 5000. But while starting, I am getting following error:

UDP listener died {:exception=>#<SocketError: recvfrom: name or service not known>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-0.1.4/lib/logstash/inputs/udp.rb:79:in udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-0.1.4/lib/logstash/inputs/udp.rb:49:inrun'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.1-java/lib/logstash/pipeline.rb:176:in inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.1-java/lib/logstash/pipeline.rb:170:instart_input'"], :level=>:warn}

Andrew_Cholakian1 · January 29, 2016, 10:43pm

That is a very old logstash. Have you tried this with logstash 2.1?

qwertz · February 1, 2016, 11:33am

I have the same issue with logstash 2.1 with port 5000

{:timestamp=>"2016-02-01T12:29:57.766000+0100", :message=>"syslog listener died", :protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bin
d(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:853:in `new'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-in
put-syslog-2.0.2/lib/logstash/inputs/syslog.rb:152:in `tcp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:117
:in `server'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:101:in `run'"], :level=>:warn}

When i start logstash i have so many sock created (about 1 per second)

I have search all post in google, elastic.co but never fixed

When i make ps -ax | grep log*

  710 pts/1    SNl    0:51 /usr/bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyO
nly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logstash -Xmx500m -Xss2048k -Djffi.boot.library.path=/opt/logstash/vendor/jruby/lib/jni -XX:+UseParNewGC -XX:+UseC
oncMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Djava.io.tmpdir=/var/lib/logst
ash -XX:HeapDumpPath=/opt/logstash/heapdump.hprof -Xbootclasspath/a:/opt/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/opt/logstash/vendor/jruby -Djruby.lib=/o
pt/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main --1.9 /opt/logstash/lib/bootstrap/environment.rb logstash/runner.rb agent -f /etc/logstas

Maybe a leak memory or something like this ?

When i change my port it's ok but logstash listen on 2 port and i get the same information two times !

qwertz · February 15, 2016, 10:34pm

If you have a same issue verifiy you have not save a backup configuration in the same folder (even different name and extension !!)

system · July 6, 2017, 5:11am