Add logstash custom pattern error

Tr_ng_Trang · November 9, 2016, 7:54am

hi all,
i am beginner with logstash, i have a question about custom pattern for logstash.
I want to define new pattern for file_type like this:
DEFGH (?:asd?|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wsf|wsh|xl?)
for word is bat or chm or com ....
i test success when test in grokconstructor page like this :

but when setup in on logstash like file:
input {
beats {
port => 5044
}
}
filter {
grok {
patterns_dir => "/etc/logstash/conf.d/patterns"
match => {
"message" => ["%{WORD:amavis_action} %{WORD:amavis_category} (.%{DEFGH:file_type},%{DATA:a})"]}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
and file patterns like above it error, anyone help me pls,
thank you.

magnusbaeck · November 9, 2016, 8:00am

Please show the full error message.

Tr_ng_Trang · November 9, 2016, 8:03am

[2016-11-08T23:21:50,550][ERROR][logstash.agent ] fetched an invalid config {:config=>"input {\n beats {\n port => 5044\n }\n}\nfilter {\n grok {\n\tpatterns_dir => {"/etc/logstash/conf.d/patterns"}\n\tmatch => { \t\n\t"message" => ["%{WORD:amavis_action} %{WORD:amavis_category} \(.%{DEFGH:file_type},%{DATA:a}\)",\n\t"%{WORD:amavis_action} %{WORD:amavis_category} \(%{DATA:a},.%{DEFGH:file_type},%{DATA:b}\)"\n\t\t]}\n }\n}\noutput {\n elasticsearch { hosts => ["localhost:9200"] }\n stdout { codec => rubydebug }\n}\n\n\nDEFGH (?:asd?|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wsf|wsh|xl?)\n\n", :reason=>"Expected one of #, => at line 8, column 50 (byte 109) after filter {\n grok {\n\tpatterns_dir => {"/etc/logstash/conf.d/patterns""}
thanksyou for reply, its error log, i don't know why pattern line add to end of file and say error,

magnusbaeck · November 9, 2016, 8:04am

There's a brace missing; you're not closing your filter block before output starts.

Tr_ng_Trang · November 9, 2016, 8:15am

i dont know, i think its problem but i check it again so brace is enough,
can you show me exactly problem, i can't see problem.
or you can copy my file cfg you fix it for me in reply , thanks you very much

magnusbaeck · November 9, 2016, 8:33am

You need an extra } before output. Over and out.

Tr_ng_Trang · November 9, 2016, 9:02am

sry but its'still error when i add } before output, error message is same wih i post before.
Can you give me a example about use patter direct not use pattern_dir ?, i think it can make me check ez

Tr_ng_Trang · November 10, 2016, 3:44am

can u response me soon, i really need to resolve problem :((

system · December 8, 2016, 3:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.