My logstash version is:
# /opt/logstash/bin/logstash --version
logstash 2.2.4
it is configured to receive input from port 5044 according to the filebeat file:
/etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => false
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
I have set ssl to false as I am not using it
but when I start the logstash service normally with systemctl it start and checking the status confirms it is running
systemctl status logstash
● logstash.service - LSB: Starts Logstash as a daemon.
Loaded: loaded (/etc/rc.d/init.d/logstash)
Active: active (exited) since Mon 2016-07-18 19:14:51 BST; 15h ago
Docs: man:systemd-sysv-generator(8)
Process: 19965 ExecStop=/etc/rc.d/init.d/logstash stop (code=exited, status=0/SUCCESS)
Process: 19970 ExecStart=/etc/rc.d/init.d/logstash start (code=exited, status=0/SUCCESS)
...
logstash started
The problem is that logstash does not seem to be receiving input on port 5044. hosts sending filebeats encounter:
single.go:126: INFO Connecting error publishing events (retrying): dial tcp 192.72.0.92:5044: getsockopt: connection refused
when I check the port
# netstat -an | grep 5044
I get nothing. So even though logstash is running, I can't tell what port it is bound to and listening on.
Also the firewall is stopped temporarily to investigate this.
The strange thing is that is I run logstash is debug mode like so:
# ./logstash --debug -f /etc/logstash/conf.d/02-beats-input.conf
I can see
# netstat -an | grep 5044
tcp6 0 0 :::5044 :::* LISTEN
tcp6 0 0 192.72.0.92:5044 192.168.36.70:53720 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45980 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45975 ESTABLISHED
tcp6 0 0 192.72.0.92:5044 192.72.0.90:45976 ESTABLISHED
or
# lsof -i :5044
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 15136 root 7u IPv6 7191510 0t0 TCP *:lxi-evntsvc (LISTEN)
java 15136 root 33u IPv6 7192379 0t0 TCP hostname:lxi-evntsvc->192.72.0.90:45975 (ESTABLISHED)
and the host sending filebeats can connect
output.go:87: DBG output worker: publish 7 events
2016/07/19 10:02:08.017890 client.go:146: DBG Try to publish 7 events to logstash with window size 10
2016/07/19 10:02:08.038579 client.go:124: DBG 7 events out of 7 events sent to logstash. Continue sending ...
2016/07/19 10:02:08.038615 single.go:135: DBG send completed
Please help point out what I may be doing wrong with this configuration. Thanks
Based on the hing provided by #LiGhTx117
I think
The startup script used by logstash in:
/etc/init.d/logstash
has the following variables among others:
LS_USER=logstash
LS_GROUP=logstash
LS_HOME=/var/lib/logstash
LS_LOG_DIR=/var/log/logstash
LS_LOG_FILE="${LS_LOG_DIR}/$name.log"
LS_CONF_DIR=/etc/logstash/conf.d
The ownership and permission on these seem to be the issue.
I ensured that the directories where recursively accessible to the
user logstash as well as the group logstash
and
Then I also ensured that the log_file: logstash.log was writeable by
the user/group logstash
restarted logstash
Related
I am configuring rsyslog on a Linux server and want to configure it with TLS secure transport, I follow many documentation including rsyslog official guide (https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html), the thing is that I can see udp port listening, but tcp doesn't and not getting errors on configuration validation, so I am blind and not seeing why tcp port is not listening, I try low and high ports and nothing, I am attaching configuration file that I use last time and the configuration validation output, thanks for any help!
module(load="imuxsock")
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)
input(type="imtcp" port="11514")
module(load="imudp")
input(type="imudp" port="1514")
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/var/ossec/agentless/rsyslog/ca.pem"
DefaultNetstreamDriverCertFile="/var/ossec/agentless/rsyslog/server/cert.pem"
DefaultNetstreamDriverKeyFile="/var/ossec/agentless/rsyslog/server-key.pem"
)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
And validation:
# rsyslogd -N6
rsyslogd: version 8.16.0, config validation run (level 6), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
Netstat output:
# netstat -na |grep 514
udp 0 0 0.0.0.0:1514 0.0.0.0:*
udp6 0 0 :::1514 :::*
Thanks for the answers, the problem apparently was not in the rsyslog configuration, but in Wazuh, the software that was trying to receive the logs of the rsyslog, what I did was change the configuration of the ossec.conf of Wazuh and the open port, create another remote control, one with safe value and one with syslog value and it worked, thanks for all the support as always !!! Hugs and take care
Node Exporter is always running on my local machine on localhost:9100 even if I don't execute it with terminal following this error message:
FATA[0000] listen tcp :9100: bind: address already in use source="node_exporter.go:172"
By which I can understand that this port number is already being used by another application but the thing is I don't have anything hosted there.
This is what netstat | grep 9100 gives:
tcp 0 0 localhost:60232 localhost:9100 ESTABLISHED
tcp6 0 0 localhost:9100 localhost:60232 ESTABLISHED
All I had to do was to "kill" the 9100 port in which Node Exporter was running by using fuser -k 9100/tcp as this was shown on How to kill a process running on particular port in Linux?.
my version of apache
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 20 2018 18:10:38
when I run the command lsof -i :443 it returns nothing
but if I try to run apache (directly by running httpd I got the error, I verified with ps aux that there was no previous httpd/apache process already running)
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
However if i try to run a netcat process on 443 nc 0.0.0.0 -l 443 , it does open and I can send data
I'm a bit lost on what could be the problem ?
Found it
Listen 443 was present two times among the different configuration files of apache
it's a pity apache does not have a more explicit error/warning message (i.e "option defined two times" etc.)
It seems another process is using port 443 on your server.
netstat -anp | grep 443
output will be
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
disable port 443 and start
systemctl start httpd.service
I have lost connection to Cassandra server and I am not able to restore it back.
When I run: sudo service cassandra status I can see service is running:
● cassandra.service - LSB: distributed storage system for structured data
Loaded: loaded (/etc/init.d/cassandra; generated; vendor preset: enabled)
Active: active (exited) since Fri 2018-04-27 13:06:21 UTC; 4min 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 18479 ExecStop=/etc/init.d/cassandra stop (code=exited, status=0/SUCCESS)
Process: 18539 ExecStart=/etc/init.d/cassandra start (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/cassandra.service
Apr 27 13:06:21 serveur-1 systemd[1]: Starting LSB: distributed storage system for structured data...
Apr 27 13:06:21 serveur-1 systemd[1]: Started LSB: distributed storage system for structured data.
But When I run > cqlsh, I got the following:
Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: Connection refused")})
Deleting content of directory /var/lib/cassandra/commitlog and restarting cassandra fixed my issue !
Check that Cassandra really accepts connections through loopback interface.
See what's in your cassandra.yaml under listen_address and listen_interface property
# cat /etc/cassandra/cassandra.yaml | grep listen
...
listen_address: 172.17.0.2
...
If you see a non local address, it might happen that cqlsh needs to connect through another interface to your Cassandra instance. Try this command (by replacing the IP with the same IP in configuration:
# cqlsh 172.17.0.2
You can check which hosts are allowed co access your Cassandra service using the following command
# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:7199 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9042 0.0.0.0:* LISTEN
tcp 0 0 localhost:38899 0.0.0.0:* LISTEN
tcp 0 0 20f1802:afs3-fileserver 0.0.0.0:* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
0.0.0.0 means that my Cassandra instance allows connection from both loopback and ethernet interface.
Delete all content from commitlog and it will work.
Surely I know that same question is already posted here. However, when I searched it, the status is different from mine and I cannot understand the answers. Therefore I post my problem here. Sorry for duplicating issues.
My homepage suddenly doesn't work and I found out that it failed to start httpd service. Following image is the result when I command 'sudo service httpd start'
Starting httpd: (98)Address already in use: AH00072: make_sock: could
not bind to address [::]:80 (98)Address already in use: AH00072:
make_sock: could not bind to address 0.0.0.0:80 no listening sockets
available, shutting down AH00015: Unable to open logs
[FAILED]
restart doesn't work also.
$ sudo service httpd restart
Stopping httpd: [FAILED]
Starting httpd: (98)Address already in use: AH00072: make_sock: could not bind
to address [::]:80 (98)Address already in use: AH00072: make_sock:
could not bind to address 0.0.0.0:80 no listening sockets available,
shutting down AH00015: Unable to open logs
[FAILED]
What should I do to restart httpd service and revive my homepage?
Error 98 usually occurs when some webserver is using the port, here 80, or
The clean release port/address was not done.
If port is being used by other webserver, shutdown the server. You can find out which service is using port 80 by
netstat -pan |grep 80
and then shutdown the service.
If the port was not released upon unclean shutdown of server, then
sudo service networking restart
to release address/port combination from bind. This usually fixes error 98 for me.
I have the same problem. So i looked to netstat:
sudo netstat -tulpn | grep :80
and received:
tcp6 0 0 :::80 :::* LISTEN 7836/docker-proxy
after killing process:
sudo kill 7836
Files defined inside conf.d would have Listen port as 80 along with repetitive declaration of Listen port in httpd.conf which can cause this issue.
Seems port 80 is used by some other process, it can be checked by "netstat -anp|grep :80" Or assign a new available port to the Listen directive in httpd.conf and restart httpd.
Your httpd server is already started. Try restarting the service instead of starting it again:
sudo service httpd restart