UDP Listener Died

Technolust · September 13, 2022, 9:31pm

I'm seeing this error in my logstash-plain.log file and I ham not sure where to start looking:

[2022-09-13T17:25:47,905][ERROR][logstash.inputs.udp      ][main][8a46caaeb3cca4377e6163891fd9b8dd48405025c4a31918ce883ba824a5e926] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:129:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:81:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}

Also here is my conf file. I'm not running any special commands other than systemctl start logstash. I have two devices trying to send info to logstash and logstash output to elastic.

input {
#  tcp {
#   port => 5050
#    type => syslog
#  }
  udp {
    port => 5045
    type => syslog
  }
  udp {
    port => 514
    type => syslog
}

#  beats {
 #   port => 5044
 #  }
 #
  tcp {
      type => "WindowsEventLog"
      port => 5544
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["https://10.141.0.170:9200"]
    user => ["elastic"]
    password => ["password"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    ssl => true
    ssl_certificate_verification => true
    cacert => '/etc/logstash/certs/http_ca.crt'
}
  stdout { codec => rubydebug }
  file {
    path => "\data\logstash.log"
    create_if_deleted => true
}
}

Any help would be splendid!

Badger · September 13, 2022, 11:34pm

You have configured a syslog input on port 514. On many UNIX flavours you need to be root to use ports below 1024. Depending on the details of your UNIX system and TCP stack you may or may not be able to make that port accessible to non-root users.

Technolust · September 14, 2022, 12:37pm

Ahhhh, ok thanks. Let me give this a go. I will change the port to the syslog port I created 5045. I only used the 514 because it was native on two devices I am testing.

system · October 12, 2022, 12:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.