Cannot receive data after using grok

peterch · December 4, 2017, 3:48am

Dear all,

The following is my logstash config. However, I find cannot receive data. I use netstat -an find the port of 5044 and 514 are not listening. If i remove grok, can receive data. Any idea? Thanks

input{
beats {
port => 5044
tags => "winlog"
}
syslog{
port => 514
tags => "syslog"
}
}

filter{
if "Imperva Inc" in [message]{
grok { match => ["message" => "(cs1=)(?[^"]+) (cs1Label=)"]}
}
}

output {
if "winlog" in [tags]{
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
else if "syslog" in [tags]{
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "syslog"
}
}

magnusbaeck · December 4, 2017, 6:24am

Have you looked in the Logstash logs for clues?

peterch · December 5, 2017, 1:57am

Hi Magnusbaeck,

Thanks for your reply, I find the problem. The reason is (cs1=)(?[^"]+) should be (cs1=)(?[^"]+)

Problem solved.

Thanks

system · January 2, 2018, 1:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash not listening to 5044 Logstash	3	5038	July 29, 2021
Logstash not binding to port 5044 Logstash	4	7909	February 22, 2018
Logstash Cannot Listen Port 5044 after fresh install Logstash	3	601	January 5, 2022
Logstash port 5044 is not listening Logstash	4	2424	December 7, 2017
Logstash port 5044 is not listening after logstash Installation Logstash	3	410	September 3, 2022

Cannot receive data after using grok

Related topics