Assistance with my Logstash filter

HelpComputer · October 7, 2020, 9:15pm

Hello,

I am trying to use a variation of the filter provided here - https://github.com/bromiley/olaf/blob/master/logstash/o365.config but I keep getting the following error,

[FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "=>" at line 17, column 12 (byte 616) after filter {

Below is the filter config I am using. Any suggestions on how to correct this? Thanks!

filter {
  if [log][file][path] == "/var/log/audit.log"
    {
    kv {
     include_keys => [ "VlogRecNo", "VigilRecNo", "Pid", "TimeStamp", "Type", "Event", "LinuxPath", "netAddr_IPv4", "Dn", "UserDn", "PATH Type", "Comm" ]
       }
    if [Comm] == "smdrd"
     {
        drop { }
     }
    }

  if ([type] == "o365_csv") {
      csv {
        columns => ["PSComputerName", "RunspaceId", "PSShowComputerName", "RecordType", "CreationDate", "UserIds", "Operations", "AuditData", "ResultIndex", "ResultCount", "Identity", "IsValid", "ObjectState"]
        skip_header => "true"
        if ([message =~ /^#/) {
          drop {}
        }
      }
      date {
        match => [ "CreationDate", "ISO8601" ]
      }
      json {
        source => "AuditData"
      }
  }
}

HelpComputer · October 7, 2020, 9:37pm

Realized it was missing a square bracket after message (see below). Added the missing bracket but it's still throwing the same error

if ([message] =~ /^#/) {

Badger · October 7, 2020, 10:49pm

Could be missing the } to close a previous input, output, or filter section.

What do the first 18 lines of the configuration look like?

HelpComputer · October 8, 2020, 1:39pm

Thanks for the reply @Badger! That's the whole filter file posted above. I copied and pasted the contents from above into http://www.yamllint.com/ and it says it's valid. The error has me baffled.

Badger · October 8, 2020, 2:35pm

What other files are part of the configuration?

HelpComputer · October 8, 2020, 4:31pm

The input/output section is another file in that same folder. Password has been removed on post.

input {
  tcp {
    port => 5544
  }

  beats {
    port => 5044
    ssl => false
  }

}

output {
#  if [@metadata][beat] == "filebeat" and [input][type] == "netflow" {
#    elasticsearch {
#      hosts => ["elastic1", "elastic2", "elastic3"]
#      index => "netflow-%{[@metadata][version]}"
#      user => "service-account"
#      password => ""
#    }
#  }
  if [@metadata][beat] == "filebeat" {
    elasticsearch {
      hosts => ["elastic1", "elastic2", "elastic3"]
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      user => "service-account"
      password => ""
      ssl => "true"
    }
  }
  if [@metadata][beat] == "winlogbeat" {
    elasticsearch {
      hosts => ["elastic1", "elastic2", "elastic3"]
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      user => "service-account"
      password => ""
      ssl => "true"
    }
  }
#  else {
#    elasticsearch {
#      hosts => ["elastic1", "elastic2", "elastic3"]
#      index => "syslog-%{+YYYY.MM.dd}"
#      user => "service-account"
#      password => ""
#    }
#  }
}

Badger · October 8, 2020, 4:40pm

Try running with --log.level debug --config.debug and see what it is trying to load. Show us the first 18 lines of the configuration that it loads, you can redact anything you need to, but do not add or delete any lines.

HelpComputer · October 8, 2020, 4:57pm

Hope this helps

[2020-10-08T11:46:21,890][DEBUG][org.logstash.config.ir.PipelineConfig] -------- Logstash Config ---------
[2020-10-08T11:46:21,896][DEBUG][org.logstash.config.ir.PipelineConfig] Config from source, source: LogStash::Config::Source::Local, pipeline_id:: main
[2020-10-08T11:46:21,898][DEBUG][org.logstash.config.ir.PipelineConfig] Config string, protocol: file, id: /etc/logstash/conf.d/filter.conf
[2020-10-08T11:46:21,899][DEBUG][org.logstash.config.ir.PipelineConfig]

filter {
  if [log][file][path] == "/var/log/audit.log"
    {
    kv {
     include_keys => [ "VlogRecNo", "VigilRecNo", "Pid", "TimeStamp", "Type", "Event", "LinuxPath", "netAddr_IPv4", "Dn", "UserDn", "PATH Type", "Comm" ]
       }
    if [Comm] == "smdrd"
     {
        drop { }
     }
    }

  if ([type] == "o365_csv") {
      csv {
        columns => ["PSComputerName", "RunspaceId", "PSShowComputerName", "RecordType", "CreationDate", "UserIds", "Operations", "AuditData", "ResultIndex", "ResultCount", "Identity" "IsValid", "ObjectState"]
        skip_header => "true"
        if ([message] =~ /^#/) {
          drop { }
        }
      }
      date {
        match => [ "CreationDate", "ISO8601" ]
      }
      json {
        source => "AuditData"
      }
  }
}

Badger · October 8, 2020, 5:09pm

    if ([message] =~ /^#/) {
      drop { }
    }

You cannot put that inside the csv {} filter.

HelpComputer · October 9, 2020, 1:21pm

Thanks, that was it! Removed that part and it's now working.

system · November 6, 2020, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstasg config error The given configuration is invalid. Reason: Expected one of #, {, } at line 13, column 44 (byte 286) after filter { Logstash	3	3619	January 30, 2018
Config Error : configuration is invalid. Reason: Expected one of #, => Logstash	4	684	July 1, 2019
Could not find the error in logstash CONF Logstash	5	603	January 24, 2017
[FATAL] 2018-05-16 09:39:07.354 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, => at line 15, column 10 (byte 170) after Logstash	4	1048	June 13, 2018
What is wrong with my logstash config? Logstash	3	705	April 14, 2017

Assistance with my Logstash filter

Related topics