1 前言

一个问题，一篇文章，一出故事。
笔者集群运行logstash发现它希望在514端口倾听，但是被系统拒绝，详细日志如下，
可见如下提示，

Jul 10 15:32:30 azlogstash logstash[1632]: [2024-07-10T15:32:30,530][WARN ][logstash.inputs.syslog   ][main][53ccb7566edb907197e8cdc4242bda697ad0a69bffa35323568b0b3a910539df] syslog listener died {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:123:in `initialize'", "org/jruby/RubyClass.java:949:in `new'", "org/jruby/RubyIO.java:888:in `new'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:208:in `tcp_listener'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:156:in `block in run'"]}
Jul 10 15:32:30 azlogstash logstash[1632]: [2024-07-10T15:32:30,531][WARN ][logstash.inputs.syslog   ][main][53ccb7566edb907197e8cdc4242bda697ad0a69bffa35323568b0b3a910539df] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:167:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:191:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:172:in `server'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-syslog-3.7.0/lib/logstash/inputs/syslog.rb:152:in `block in run'"]}

因此，本章将总结解决此问题的方案。

2 最佳实践

2.1 查看当前的系统配置

sysctl net.ipv4.ip_unprivileged_port_start

可见如下提示，

net.ipv4.ip_unprivileged_port_start = 1024

2.2 修改系统设置

echo "net.ipv4.ip_unprivileged_port_start = 514" >> /etc/sysctl.d/99-sysctl.conf
sysctl -p