I'm seeing this error in my logstash-plain.log file and I ham not sure where to start looking:
[2022-09-13T17:25:47,905][ERROR][logstash.inputs.udp ][main][8a46caaeb3cca4377e6163891fd9b8dd48405025c4a31918ce883ba824a5e926] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:129:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:81:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}
Also here is my conf file. I'm not running any special commands other than systemctl start logstash. I have two devices trying to send info to logstash and logstash output to elastic.
input {
# tcp {
# port => 5050
# type => syslog
# }
udp {
port => 5045
type => syslog
}
udp {
port => 514
type => syslog
}
# beats {
# port => 5044
# }
#
tcp {
type => "WindowsEventLog"
port => 5544
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["https://10.141.0.170:9200"]
user => ["elastic"]
password => ["password"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
ssl => true
ssl_certificate_verification => true
cacert => '/etc/logstash/certs/http_ca.crt'
}
stdout { codec => rubydebug }
file {
path => "\data\logstash.log"
create_if_deleted => true
}
}
Any help would be splendid!