UDP Listener Died

Technolust · September 13, 2022, 9:31pm

I'm seeing this error in my logstash-plain.log file and I ham not sure where to start looking:

[2022-09-13T17:25:47,905][ERROR][logstash.inputs.udp      ][main][8a46caaeb3cca4377e6163891fd9b8dd48405025c4a31918ce883ba824a5e926] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:129:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-input-udp-3.5.0/lib/logstash/inputs/udp.rb:81:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:410:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:401:in `block in start_input'"]}

Also here is my conf file. I'm not running any special commands other than systemctl start logstash. I have two devices trying to send info to logstash and logstash output to elastic.

input {
#  tcp {
#   port => 5050
#    type => syslog
#  }
  udp {
    port => 5045
    type => syslog
  }
  udp {
    port => 514
    type => syslog
}

#  beats {
 #   port => 5044
 #  }
 #
  tcp {
      type => "WindowsEventLog"
      port => 5544
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["https://10.141.0.170:9200"]
    user => ["elastic"]
    password => ["password"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    ssl => true
    ssl_certificate_verification => true
    cacert => '/etc/logstash/certs/http_ca.crt'
}
  stdout { codec => rubydebug }
  file {
    path => "\data\logstash.log"
    create_if_deleted => true
}
}

Any help would be splendid!

Badger · September 13, 2022, 11:34pm

You have configured a syslog input on port 514. On many UNIX flavours you need to be root to use ports below 1024. Depending on the details of your UNIX system and TCP stack you may or may not be able to make that port accessible to non-root users.

Technolust · September 14, 2022, 12:37pm

Ahhhh, ok thanks. Let me give this a go. I will change the port to the syslog port I created 5045. I only used the 514 because it was native on two devices I am testing.

system · October 12, 2022, 12:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
UDP listener died Logstash	7	17628	July 6, 2017
Udp listener died warning in logstash udp input plugin Logstash	2	1069	December 13, 2016
UDP listener died. IOError: closed stream Logstash	3	1895	July 6, 2017
I am getting this error when running logstash configuration pipeline through logstash.yml file Logstash	3	829	May 4, 2021
UDP Listener died, address already in use Logstash	5	932	October 14, 2022

UDP Listener Died

Related Topics