Local_syslog.conf
Input {
Syslog {
port = ' 514 '
}
}
output {
Elasticsearch {
hosts = = ["node1:9200"]< C7/>index = "Syslog"
}
}
Start Logstash Error:
[elastic@node1 logstash-6.2.3]$ bin/logstash -f config/local_syslog.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
[2018-04-26T10:30:23,901][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/opt/logstash-6.2.3/modules/netflow/configuration"}
[2018-04-26T10:30:23,925][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/opt/logstash-6.2.3/modules/fb_apache/configuration"}
[2018-04-26T10:30:24,570][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-04-26T10:30:25,359][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.2.3"}
[2018-04-26T10:30:26,069][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-04-26T10:30:28,541][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-04-26T10:30:29,101][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x4d740a8b run>"}
[2018-04-26T10:30:29,179][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:29,195][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:29,215][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}
[2018-04-26T10:30:29,222][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:133:in `initialize'", "org/jruby/RubyIO.java:875:in `new'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}
[2018-04-26T10:30:29,228][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
[2018-04-26T10:30:34,222][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:34,223][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:34,224][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}
[2018-04-26T10:30:34,225][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:133:in `initialize'", "org/jruby/RubyIO.java:875:in `new'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}
[2018-04-26T10:30:39,225][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:39,226][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:39,227][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:133:in `initialize'", "org/jruby/RubyIO.java:875:in `new'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:167:in `tcp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:114:in `block in run'"]}
[2018-04-26T10:30:39,227][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:130:in `server'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.0/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}
^C[2018-04-26T10:30:41,179][WARN ][logstash.runner ] SIGINT received. Shutting down.
[2018-04-26T10:30:42,233][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:42,233][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:30:42,485][INFO ][logstash.pipeline ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0x4d740a8b run>"}
[2018-04-26T10:30:42,623][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Stop/pipeline_id:main, :exception=>"NoMethodError", :message=>"undefined method `map' for nil:NilClass\nDid you mean? tap", :backtrace=>["/opt/logstash-6.2.3/logstash-core/lib/logstash/util.rb:40:in `thread_info'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/pipeline.rb:662:in `block in plugin_threads_info'", "org/jruby/RubyArray.java:2486:in `map'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/pipeline.rb:662:in `plugin_threads_info'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/pipeline_reporter.rb:66:in `block in to_hash'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:80:in `inflight_batches'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/pipeline_reporter.rb:56:in `to_hash'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/pipeline_reporter.rb:51:in `snapshot'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/shutdown_watcher.rb:88:in `pipeline_report_snapshot'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/shutdown_watcher.rb:63:in `block in start'", "/opt/logstash-6.2.3/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/interval.rb:20:in `interval'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/shutdown_watcher.rb:59:in `start'", "/opt/logstash-6.2.3/logstash-core/lib/logstash/shutdown_watcher.rb:35:in `block in start'"]}
[elastic@node1 logstash-6.2.3]$
Visible is syslog UDP listener and syslog TCP listener failed to start
Syslog Listener died {:p rotocol=>:tcp,:address=> "0.0.0.0:514",: exception=>#<errno::eacces:permission Denied-bind (2),
Syslog listener died {:p rotocol=>:udp,:address=> "0.0.0.0:514",:exception=>#< Errno::eacces:permission Denied-bind (2)
for "0.0.0.0" Port 514>
Baidu, did not find the information available, and later referred to the https://discuss.elastic.co/t/udp-listener-died/24489, find a solution
You need to start logstash as root as 514 is a protected port (/etc/sysconfig/logstash ls_user=root)
So switch to the root user and start again
[root@node1 logstash-6.2.3]# bin/logstash -f config/local_syslog.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
[2018-04-26T10:43:14,182][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/opt/logstash-6.2.3/modules/netflow/configuration"}
[2018-04-26T10:43:14,204][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/opt/logstash-6.2.3/modules/fb_apache/configuration"}
[2018-04-26T10:43:14,839][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-04-26T10:43:15,820][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.2.3"}
[2018-04-26T10:43:16,490][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-04-26T10:43:19,426][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-04-26T10:43:19,974][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://node1:9200/]}}
[2018-04-26T10:43:19,988][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://node1:9200/, :path=>"/"}
[2018-04-26T10:43:20,265][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://node1:9200/"}
[2018-04-26T10:43:20,367][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-04-26T10:43:20,372][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6}
[2018-04-26T10:43:20,396][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-04-26T10:43:20,426][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-04-26T10:43:20,501][INFO ][logstash.outputs.elasticsearch] Installing elasticsearch template to _template/logstash
[2018-04-26T10:43:20,885][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//node1:9200"]}
[2018-04-26T10:43:21,422][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x2a890d7c run>"}
[2018-04-26T10:43:21,479][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:43:21,493][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T10:43:21,533][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}
Started normally
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
