Logstash for Vagrant: Address already in use

Question

I have a Vagrant image in which there is an application; it is reachable in the Vagrant image if you call the port 2401 and depending on the service that you want, you call a specific address (i.e. "curl -X GET http://127.0.0.1:2401/provider/ipfix"). To retrieve the output outside the Vagrant machine I have set a port forwarding in the Vagrant file ("config.vm.network :forwarded_port, guest: 2401, host: 8080"), thus using the command "curl -X GET http://127.0.0.1:8080/provider/ipfix" from host I get the same output.

I am now on the phase of installing Logstash. My issue is that when I run Logstash with the config file I get the error "Address already in use". I tried to use also fields to guide to the specific output. Below is my Logstash config file. What workaround would you suggest?

input {
 tcp {
    host => localhost
    port => 8080
    add_field => {
     "field1" => "provider"
     "field2" => "ipfix"
        } 
    codec => netflow {
      versions => [10]
      target => ipfix
    }
    type => ipfix
  }
}

output {
 stdout { codec => rubydebug }

  elasticsearch {
    index => "IPFIX-logstash-%{+YYYY.MM.dd}"
  }
}

Answer 1

If I'm reading this right, you're expecting Logstash to use TCP to connect to localhost:8080 to fetch information that it will then process.

That's not what this input does. This creates a listener on 127.0.0.1:8080, so the error message about 'already in use' is quite correct.

Considering you're using curl as an example of fetching this data, I suggest the http_poller plugin is better for what you want.

input {
  http_poller {
    urls => {
      IPFIX => "http://127.0.0.1:8080/provider/ipfix"
    }
    request_timeout => 30
    schedule => { "every" => "5s" }
    add_tags => [ 'ipfix' ]
  }
}

This will hit the known-working CURL URL every 5 seconds with a GET request.