logstash no longer binds to privileged port after upgrade 2026R1.0.3

[CBoekhuis]

Hi,

after upgrading from 2026R1.0.2 to 2026R1.0.3 logstash no longer binds to privileged ports. In my case I have an input filter to listen on port 514 for some legacy devices, but since the upgrade there is nothing listening on port 514. I have the following error message in de /var/log/message:

Code: Select all

Jan 14 11:21:51 my_server logstash[472527]: [2026-01-14T11:21:51,351][WARN ][logstash.inputs.syslog   ][main][6959ef36df66d3c06efe0c86a4757b9b94c41452b36a9b4fbc1229d00649b7b9] syslog listener die
d {:protocol=>:udp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:167:in `bind
'", "/usr/local/nagioslogserver/logstash/vendor/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/logstash/inputs/syslog.rb:193:in `udp_listener'", "/usr/local/nagioslogserver/logstash/vendor
/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/logstash/inputs/syslog.rb:174:in `server'", "/usr/local/nagioslogserver/logstash/vendor/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/
logstash/inputs/syslog.rb:154:in `block in run'"]}
Jan 14 11:21:51 my_server logstash[472527]: [2026-01-14T11:21:51,358][WARN ][logstash.inputs.syslog   ][main][6959ef36df66d3c06efe0c86a4757b9b94c41452b36a9b4fbc1229d00649b7b9] syslog listener die
d {:protocol=>:tcp, :address=>"0.0.0.0:514", :exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyTCPServer.java:123:in `init
ialize'", "org/jruby/RubyClass.java:950:in `new'", "org/jruby/RubyIO.java:889:in `new'", "/usr/local/nagioslogserver/logstash/vendor/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/logstash
/inputs/syslog.rb:210:in `tcp_listener'", "/usr/local/nagioslogserver/logstash/vendor/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/logstash/inputs/syslog.rb:174:in `server'", "/usr/local
/nagioslogserver/logstash/vendor/local_gems/44acb515/logstash-input-syslog-3.7.1/lib/logstash/inputs/syslog.rb:158:in `block in run'"]}

software runs on RHEL9.7

Any idea how to fix this?

Kind regards,
Hans

[CBoekhuis]

I "fixed" it myself. Apparently the /usr/local/nagioslogserver/logstash/jdk/bin/java no longer had extended capabilities:

before upgrade:
root:/usr/local/nagioslogserver/logstash/jdk/bin> getcap ./java
./java cap_net_bind_service=ep

after upgrade:
root:/usr/local/nagioslogserver/logstash/jdk/bin> getcap ./java
root:/usr/local/nagioslogserver/logstash/jdk/bin>

I fixed it by running the following command on all nodes and restarting logstash:
setcap 'cap_net_bind_service=+ep' /usr/local/nagioslogserver/logstash/jdk/bin/java

root:/usr/local/nagioslogserver/logstash/jdk/bin> lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 498296 nagios 175u IPv4 8376511 0t0 UDP *:syslog
java 498296 nagios 176u IPv6 8376512 0t0 TCP *:shell (LISTEN)

Not sure if it is the best way to fix it, but it works for me .
Greeting...Hans

[jmichaelson]

That's exactly the best way to fix it. I'll have a look into what's going on during the upgrade that caused that step to not happen. The changelog issue if you're interested will be NLS#810.