1

When I was trying ELK I install the logstash-2.4.0. And I wrote the log4j_to_es.conf. When I run ./bin/logstash agent -f config/log4j_to_es.conf I got an error.

Settings: Default pipeline workers: 4
Pipeline aborted due to error {:exception=>"Errno::EADDRNOTAVAIL", :backtrace=>[
"org/jruby/ext/socket/RubyTCPServer.java:118:in `initialize'", 
"org/jruby/RubyIO.java:871:in `new'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash/inputs/log4j.rb:71:in `register'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:330:in `start_inputs'", 
"org/jruby/RubyArray.java:1613:in `each'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:329:in `start_inputs'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:180:in `start_workers'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:136:in `run'", 
"/home/tools/logstash-2.4.0/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/agent.rb:491:in `start_pipeline'"], 
:level=>:error}
stopping pipeline {:id=>"main"}

And the log4j_to_es.conf is like this:

input {
  log4j {
    mode => "server"
    host => "120.13.243.95"
    port => 4567
  }
}
output {
  elasticsearch {
    action => "index"
    hosts  => "192.168.1.54:9200"
    index  => "applog"
  }
}

The system is CentOS 7.2.1511. The input is another server. output is localhost.

blackdog
  • 113
  • 1
  • 5

1 Answers1

2

The IP address you have specified in your input is not available on the system you're running logstash on. I presume the IP you provided there is the IP address of the system that is sending the logs?

If so, you've misinterpreted the configuration syntax. You do not need to specify an IP address in the input. If you omit that entry, logstash will listen on all available interfaces. If, on the other hand, you do indeed only want logstash to listen on a specific IP, you'll need to ensure that the specified IP is one configured on the logstash server.

-- Edit: do you want logstash to receive messages that your log4j sends? If so, the above fix applies. If, on the other hand, you want logstash to connect to your log4j instance on the remote server, than all you need to do is change your "mode" from "server" to "client".

Have you read the logstash log4j documentation? It makes this all quite clear.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • The input server runs a tomcat. So you mean I must make the tomcat keep working at first (the document said the java project should use the `SocketAppender` in the log4j.properties)? Is that means if logstash can't find the ip or port, it crashes? – blackdog Sep 18 '16 at 02:26
  • @blackdog Please see my edit. – EEAA Sep 18 '16 at 02:59
  • @blackdog, *no* server will start successfully if it's configured to listen on an IP address not available on the local interface. Not apache, not nginx, not any other -- to do contrary (by, say, falling back to listening on all interfaces) would be a grave security bug (if you ended up listening on addresses bound to untrusted interfaces). – Charles Duffy Sep 18 '16 at 04:55
  • @blackdog, ...and no, it has nothing to do with tomcat -- it's the **listening** port that it's trying to bind, that is, the one that's local to the machine running logstash; this has nothing to do with the sending port (on your machine running tomcat). – Charles Duffy Sep 18 '16 at 04:56