4

I have a java application running in a docker container on a docker host. The application uses log4j for logging and logs to syslog. I want to be able to send my syslog logs to logstash.

I changed the configurations in rsyslog config file to : 

*.* @@<logstash host ip>:514

and I have in my logstash config file for syslog: 

input {
  syslog {
  type => syslog
  port => 514
}

}

and in logstash logs I got errors saying syslog tcp listener died and 

exception=>#<Errno::EACCES: Permission denied - bind(2)

I thought I should probably specify where the host is in logstash configs and added the ip address of my dockerhost + port to the config file but I still get the same errors.

How can I tell logstash to look at the docker container on dockerhost for logs? am I missing a component here?

Thanks.

tyrell_c
  • 503
  • 3
  • 10
  • 24
  • 1
    I can't help you with connecting Docker to the host machine's Logstash, but the reason for your EACCES error is that by default only root can bind to ports below 1024. Change the port, run Logstash as root, or see some other options at http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-1024-on-l. – Magnus Bäck Dec 14 '14 at 16:49
  • I tried doing that and it says operation not permitted. The logstash service located in /etc/init.d is a script ... so .. I don't think I can use this solution. I'm not able to run logstash as root so I think I have to change ports. – tyrell_c Dec 15 '14 at 15:41
  • Just to note, logging java apps over syslog may cause issues due to the 1024byte limit on syslog messages, exceptions often exceed that. – stuart-warren Jan 11 '15 at 11:23

1 Answers1

2

You need to run the process as root. normal users (ie non root) cant bind to ports less than 1024 without some setuid trickery

Thomas Decaux
  • 21,738
  • 2
  • 113
  • 124
stringy05
  • 6,511
  • 32
  • 38