Had to add following section to /System/Library/LaunchDaemons/com.apple.syslogd.plist to activate udp on port 514 for syslogd
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
/etc/services has entries
shell 514/tcp # cmd
syslog 514/udp #
syslog-conn 601/udp # Reliable Syslog Service
syslog-conn 601/tcp # Reliable Syslog Service
Running logstash-1.4.0/bin/logstash -f logstash-syslog.conf gives:
syslog tcp listener died {:address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2)>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:124:in `initialize'", "org/jruby/RubyIO.java:852:in `new'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:135:in `tcp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:90:in `run'"], :level=>:warn}
Running it with sudo gives:
syslog udp listener died {:address=>"0.0.0.0:514", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:116:in `udp_listener'", "/Users/priyankb/Documents/logstash-1.4.0/lib/logstash/inputs/syslog.rb:76:in `run'"], :level=>:warn}
Output of sudo lsof -ni -P | grep -i 514
launchd 1 root 25u IPv4 0x4ec86f4f62c22bb5 0t0 UDP *:514
launchd 1 root 26u IPv6 0x4ec86f4f746ca4f5 0t0 UDP *:514
mDNSRespo 47 _mdnsresponder 49u IPv4 0x4ec86f4f62c1faf5 0t0 UDP *:51446
mDNSRespo 47 _mdnsresponder 50u IPv6 0x4ec86f4f62c1f2d5 0t0 UDP *:51446
mDNSRespo 47 _mdnsresponder 58u IPv4 0x4ec86f4f63fd7175 0t0 UDP *:51437
mDNSRespo 47 _mdnsresponder 59u IPv6 0x4ec86f4f62c1f475 0t0 UDP *:51437
syslogd 655 root 6u IPv4 0x4ec86f4f62c22bb5 0t0 UDP *:514
syslogd 655 root 7u IPv6 0x4ec86f4f746ca4f5 0t0 UDP *:514
Here is the content of my logstash config:
input {
syslog {
}
}
filter {
json {
source => "message"
}
}
filter {
if ["program"] == "myprogram" {
date {
match => [ "timestamp_rcvd", "UNIX_MS" ]
}
date {
match => [ "timestamp_rcvd", "UNIX_MS" ]
target => "timestamp_rcvd"
}
date {
match => [ "timestamp", "UNIX_MS" ]
target => "timestamp"
}
}
}
filter {
mutate {
remove_field => [ "facility", "message", "@version", "host", "priority", "severity", "facility_label", "severity_label" ]
}
}
output {
stdout { }
elasticsearch { embedded => true }
}
I am doing all this on my Mac Pro. Searching for similar problems on google gets me to https://logstash.jira.com/browse/LOGSTASH-840
closing syslogd
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
and then running logstash worked. Hope it helps others with similar issue.