syslog listener died
Ubuntu 22, Rocky 9
cat /etc/logstash/conf.d/00-in-syslog.conf
input {
syslog {
port => "514"
}
}
filter {
mutate {
remove_field => ["log","service","@version","type","event"]
}
mutate {
remove_tag => ["_grokparsefailure_sysloginput"]
}
mutate {
strip => ["message"]
}
}
[2023-10-17T23:20:26,439][INFO ][logstash.inputs.syslog ][main][0e211d37c181e2a2821e67c0085d01b778f5b2458f6250c3091a8a44da94cbb2] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2023-10-17T23:20:26,440][WARN ][logstash.inputs.syslog ][main][0e211d37c181e2a2821e67c0085d01b778f5b2458f6250c3091a8a44da94cbb2] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:123:in `initialize'", "org/jruby/RubyClass.java:931:in `new'", "org/jruby/RubyIO.java:866:in `new'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.6.0/lib/logstash/inputs/syslog.rb:208:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.6.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.6.0/lib/logstash/inputs/syslog.rb:156:in `block in run'"]}
workaround
Rocky 9
cat /etc/logstash/conf.d/00-in-syslog.conf
input {
syslog {
port => "5514"
}
}
...
# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000
inet 192.168.10.10
# firewall-cmd --list-all
public (active)
...
forward: yes
masquerade: no
forward-ports:
port=514:proto=udp:toport=5514:toaddr=192.168.10.10