Information: ELK also play quite a long time, and have time to come across the pit and privations
1. Test Environment
CentOS7 operating system (installed binary mode) rsyslog, logstash6.2.4
2. Problem
When set to logstash user to start the service follows an error occurs
Jul 27 17:39:02 zabbix-server logstash: [2019-07-27T17:39:02,995][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"} Jul 27 17:39:03 zabbix-server logstash: [2019-07-27T17:39:02,997][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", "/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", "/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", "/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}
When there is no reason to start the port authority, because Linux system security settings, the following application port 1024 must start to start as the root user, not a normal user to start
3. Solution
(1) to root to start the service logstash
logstash.service
[Unit] Description=logstash [Service] Type=simple User=root Group=root Environment=JAVA_HOME=/usr/local/jdk Environment=LS_HOME=/usr/local/logstash Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/ Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid Environment=LS_USER=root Environment=LS_GROUP=root Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log Environment=LS_OPEN_FILES=16384 Environment=LS_NICE=19 Environment=SERVICE_NAME=logstash Environment=SERVICE_DESCRIPTION=logstash ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/" Restart=always WorkingDirectory=/usr/local/logstash Nice=19 LimitNOFILE=16384 [Install] WantedBy=multi-user.target
logstash Configuration
input { syslog { port => "514" } } filter { } output { stdout { codec => rubydebug } }
Test Results:
(2) to logstash ordinary user to start Logstash service, set firewalld firewall to forward traffic to port 514 1300 port, logstash in 1300 to set syslog port interfaces to log information
logstash.service as follows:
[Unit] Description=logstash [Service] Type=simple User=logstash Group=logstash Environment=JAVA_HOME=/usr/local/jdk Environment=LS_HOME=/usr/local/logstash Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/ Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid Environment=LS_USER=logstash Environment=LS_GROUP=logstash Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log Environment=LS_OPEN_FILES=16384 Environment=LS_NICE=19 Environment=SERVICE_NAME=logstash Environment=SERVICE_DESCRIPTION=logstash ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/" Restart=always WorkingDirectory=/usr/local/logstash Nice=19 LimitNOFILE=16384 [Install] WantedBy=multi-user.target
logstash the test configuration conf
input { syslog { port => "1300" } } filter { } output { stdout { codec => rubydebug } }
Set firewalld firewall port forwarding, port 514 traffic to port 1300
firewall-cmd --permanent --zone=public --add-port=514/tcp firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=tcp:toport=1300 firewall-cmd --reload firewall-cmd --list-ports firewall-cmd --list-forward-ports
Test results are as follows:
Welcome to public concern number, Crab