Problem

Received error “Could not bind UDP syslog input to address /0.0.0.0:514, Failed to bind to: /0.0.0.0:514, Address already in use” when adding log input using UDP 514 (default syslog port).

Explanation

In UNIX/LINUX, assigned port 1024 and below require root privilege. Either you run graylog2 as root (not recommended) or follow below workaround.

Solution

1. Create new Syslog UDP inputs and listen to any port (ex: 5514).
2. Manipulate traffic using iptable:
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 5514

Incoming search terms:

  • graylog input failed to bind
  • Sadly, graylog2 does not have any wrapper process running as root 🙁 The solution is a little bit incorrect. You need to specify the table “nat”, as default table “filter” does not have a chain named “PREROUTING”. So the full and correct command line should be:
    iptables -t nat -A PREROUTING -i eth0 -p udp -m udp –dport 514 -j REDIRECT –to-ports 5514

    • h4irul

      Thank you for pointing it out. I have updated the syntax.