logstash error syslog udp_listener died

https://stackoverflow.com/questions/22670818

22-06-2023
|

Question

Had to add following section to /System/Library/LaunchDaemons/com.apple.syslogd.plist to activate udp on port 514 for syslogd

<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>

/etc/services has entries

shell           514/tcp     # cmd
syslog          514/udp # 
syslog-conn     601/udp     # Reliable Syslog Service
syslog-conn     601/tcp     # Reliable Syslog Service

Running logstash-1.4.0/bin/logstash -f logstash-syslog.conf gives:

syslog tcp listener died {:address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:852:in `new'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:135:in `tcp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:90:in `run'"], :level=>:warn}

Running it with sudo gives:

syslog udp listener died {:address=>"0.0.0.0:514", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:116:in `udp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:76:in `run'"], :level=>:warn}

Output of sudo lsof -ni -P | grep -i 514

launchd     1           root   25u  IPv4 0x4ec86f4f62c22bb5      0t0    UDP *:514
launchd     1           root   26u  IPv6 0x4ec86f4f746ca4f5      0t0    UDP *:514
mDNSRespo  47 _mdnsresponder   49u  IPv4 0x4ec86f4f62c1faf5      0t0    UDP *:51446
mDNSRespo  47 _mdnsresponder   50u  IPv6 0x4ec86f4f62c1f2d5      0t0    UDP *:51446
mDNSRespo  47 _mdnsresponder   58u  IPv4 0x4ec86f4f63fd7175      0t0    UDP *:51437
mDNSRespo  47 _mdnsresponder   59u  IPv6 0x4ec86f4f62c1f475      0t0    UDP *:51437
syslogd   655           root    6u  IPv4 0x4ec86f4f62c22bb5      0t0    UDP *:514
syslogd   655           root    7u  IPv6 0x4ec86f4f746ca4f5      0t0    UDP *:514

Here is the content of my logstash config:

input { 
    syslog {
    } 
}

filter {
    json {
        source => "message"
    }
}

filter {
    if ["program"] == "myprogram" {
        date {
            match => [ "timestamp_rcvd", "UNIX_MS" ]
        }
        date {
            match => [ "timestamp_rcvd", "UNIX_MS" ]
            target => "timestamp_rcvd"
        }
        date {
            match => [ "timestamp", "UNIX_MS" ]
            target => "timestamp"
        }
    }
}

filter {
    mutate {
        remove_field => [ "facility", "message", "@version", "host", "priority", "severity", "facility_label", "severity_label" ]
    }
}

output { 
stdout { }
elasticsearch { embedded => true }
}

I am doing all this on my Mac Pro. Searching for similar problems on google gets me to https://logstash.jira.com/browse/LOGSTASH-840

Solution

closing syslogd

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

and then running logstash worked. Hope it helps others with similar issue.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow