0

I have come encountered some issues on configuring Logstash.

I have used filebeats to forward logs and it went well for the first time. But when I close and repoen the termainal to configure logstash and filebeats. An error comes even Kibana UI shows that log files are still sent and read:

Settings: Default pipeline workers: 8
Beats inputs: Starting input listener {:address=>"0.0.0.0:5044", :level=>:info}
The error reported is: 
Address already in use - bind - Address already in use

Here is the config file

input {
  beats {
  port => 5044
  type => "logs"
  ssl => true
  ssl_certificate => "/etc/pki/tls/certs/filebeat.crt"
  ssl_key => "/etc/pki/tls/private/filebeat.key"
  }
}

filter{
  if [type] == "syslog" {
  grok {
     match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
     add_field => [ "received_at", "%{@timestamp}" ]
     add_field => [ "received_from", "%{host}" ]
  }
  syslog_pri { }
  date {
     match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
 }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
}
  stdout { codec => rubydebug }
}

I have no idea what's going on. Would anyone could please tell me. Thanks

kan1207
  • 23
  • 6
  • It seems that another logstash is still running and is already listening to port 5044. What do you get when running this `ps -edf | grep logstash`? – Val Apr 05 '16 at 06:27
  • Yes,, it is still running ad listening to port. And I can only force close logstash with the command $ kill -9 4869. Anyway to close it naturally when I just close the terminal? – kan1207 Apr 05 '16 at 06:37
  • Then you need to kill that instance with `sudo kill -9 `. Closing the terminal doesn't kill the process. – Val Apr 05 '16 at 06:38
  • Anyway to close it naturally when I just close the terminal? – kan1207 Apr 05 '16 at 06:39
  • How do you start logstash? – Val Apr 05 '16 at 06:39
  • $cd /opt/logstash $bin/logstash agent -v -f beats-input.conf – kan1207 Apr 05 '16 at 06:41
  • Then hit Ctrl+C before killing the terminal – Val Apr 05 '16 at 06:43
  • OK Thanks Just wonder why it would happen only to logstash but not elasticsearch and kibana. Elasticsearch and kibana close naturally together with the closing of terminal – kan1207 Apr 05 '16 at 06:46
  • Those processes might be disowned, i.e. detached from their parent session in the terminal. See this http://unix.stackexchange.com/questions/176839/closing-parent-processterminal-doesnt-close-a-specific-child-process – Val Apr 05 '16 at 07:35

0 Answers0