Logstash tcp udp syslog listeners dying

Discussion:

Gregory G. Greenlee

12 years ago

Hello everyone:
I have logstash installed and ingesting GELF formatted messages. I also
have a syslog input configured but it seems that input isn't working and
I'm getting these errors in the log. Thank you for your input on this!!!

{:timestamp=>"2013-11-11T10:42:29.409000-0500", :message=>"syslog tcp
listener died", :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES:
Permission denied - bind(2)>,
:backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'",
"org/jruby/RubyIO.java:856:in `new'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:133:in
`tcp_listener'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:88:in
`run'"], :level=>:warn}
{:timestamp=>"2013-11-11T10:42:29.409000-0500", :message=>"syslog udp
listener died", :address=>"0.0.0.0:514", :exception=>#<SocketError: bind:
name or service not known>,
:backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:114:in
`udp_listener'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:74:in
`run'"], :level=>:warn}

input {
syslog {
type => syslog
port => 514
codec => plain { charset => "ISO-8859-1" }
}
gelf {
port => 12201
type => "gelf"
}
}

output {
elasticsearch {
bind_host => "pdnlog01.appica.com"
cluster => "appica_cluster"
port => 9300
}
}

--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.

c***@public.gmane.org

12 years ago

Permalink

Questions: Why are you looking for syslogs on a port? Is the logstash
shipper on the system it is reading the syslogs from?

Here is what I have for syslogs:
input {
file {
type => "syslog"
path => ["/var/log/*"]
exclude => ["*.gz", "*.log.?", "shipper.log"]
sincedb_path => "/var/cache/logstash/.sincedb"
debug => true
}
}

input {

Post by Gregory G. Greenlee
syslog {
type => syslog
port => 514
codec => plain { charset => "ISO-8859-1" }
}
gelf {
port => 12201
type => "gelf"
}
}

b***@public.gmane.org

11 years ago

Permalink

Post by c***@public.gmane.org
Questions: Why are you looking for syslogs on a port? Is the logstash
shipper on the system it is reading the syslogs from?
Syslog is both a network protocol and a somewhat standardized format for

text file logs. If you have things on the network (NAS box, switches,
routers, oscilloscopes, VoIP equipment) that don't have a JVM or any
ability to install software, there's a pretty good chance they might still
be able to log to a syslog server. That's what the syslog plugin is for.

But also, since pretty much all *nix distributions include a syslog system,
it would probably be lighter weight to configure these systems to export
logs to a syslog server (the syslog input plugin) than to install a JVM and
run a logstash shipper. Probably not a big deal on a metal server, but if
you have a bunch of VMs running on a single host, you could get logs at
very little resource cost using syslog. Forcing JVM installation for a
syslog shipper could have a meaningful impact on the number of VMs run.

Dick Davies

12 years ago

Permalink

Permission denied binding to the port. I'd guess logstash isn't running as
root?

:exception=>#<Errno::EACCES: Permission denied - bind(2)>,
:backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'",
"org/jruby/RubyIO.java:856:in `new'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:133:in
`tcp_listener'",
"file:/usr/share/java/logstash.jar!/logstash/inputs/syslog.rb:88:in
`run'"], :level=>:warn}
input {
syslog {
type => syslog
port => 514