Error in logstash.conf

Yih_Ashley · July 24, 2018, 3:07am

Hello, I have a problem when running my logstash. Below is my configuration in logstash.conf

input {
file {
path => ["/var/log/nsm/eve.json"]
codec => json
type => "SuricataIDPS"
}

}

filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "
if event.get('[event_type]') == 'fileinfo'
event.set('[fileinfo][type]', event.get('[fileinfo][magic]').to_s.split(',')[0])
end
"
}
}

if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}

output {
elasticsearch { hosts => localhost }
}

The error is occured as:
[2018-07-25T01:37:12,638][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {:pipeline_id=>"main", "exception"=>"undefined method tr' for -118.244:Float", "backtrace"=>["/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:344:inconvert_float'", "org/jruby/RubyMethod.java:115:in call'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:309:inblock in convert'", "org/jruby/RubyArray.java:2486:in map'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:309:inblock in convert'", "org/jruby/RubyHash.java:1343:in each'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:299:inconvert'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:252:in filter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:145:indo_filter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:164:in block in multi_filter'", "org/jruby/RubyArray.java:1734:ineach'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:161:in multi_filter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filter_delegator.rb:47:inmulti_filter'", "(eval):352:in block in initialize'", "org/jruby/RubyArray.java:1734:ineach'", "(eval):348:in block in initialize'", "(eval):366:inblock in initialize'", "org/jruby/RubyArray.java:1734:in each'", "(eval):363:inblock in initialize'", "(eval):382:in block in initialize'", "org/jruby/RubyArray.java:1734:ineach'", "(eval):377:in block in initialize'", "(eval):172:inblock in filter_func'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:445:in filter_batch'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:424:inworker_loop'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:386:in block in start_workers'"], :thread=>"#<Thread:0xd1823a0 sleep>"} [2018-07-25T01:37:12,758][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<NoMethodError: undefined methodtr' for -118.244:Float>, :backtrace=>["/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:344:in convert_float'", "org/jruby/RubyMethod.java:115:incall'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:309:in block in convert'", "org/jruby/RubyArray.java:2486:inmap'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:309:in block in convert'", "org/jruby/RubyHash.java:1343:ineach'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:299:in convert'", "/home/ashley/logstash-6.2.4/vendor/bundle/jruby/2.3.0/gems/logstash-filter-mutate-3.3.1/lib/logstash/filters/mutate.rb:252:infilter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:145:in do_filter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:164:inblock in multi_filter'", "org/jruby/RubyArray.java:1734:in each'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filters/base.rb:161:inmulti_filter'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/filter_delegator.rb:47:in multi_filter'", "(eval):352:inblock in initialize'", "org/jruby/RubyArray.java:1734:in each'", "(eval):348:inblock in initialize'", "(eval):366:in block in initialize'", "org/jruby/RubyArray.java:1734:ineach'", "(eval):363:in block in initialize'", "(eval):382:inblock in initialize'", "org/jruby/RubyArray.java:1734:in each'", "(eval):377:inblock in initialize'", "(eval):172:in block in filter_func'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:445:infilter_batch'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:424:in worker_loop'", "/home/ashley/logstash-6.2.4/logstash-core/lib/logstash/pipeline.rb:386:inblock in start_workers'"]}
[2018-07-25T01:37:12,893][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: org.jruby.exceptions.RaiseException: (SystemExit) exit

Can everyone helps? Thanks.

NerdSec · July 24, 2018, 7:17am

Hi Ashley,

Please format your post so that it is easier to read.

Could you try removing the mutate block and see if this still gives you the same errors?

magnusbaeck · July 24, 2018, 9:35am

I answered a question like this a week or two ago.

You're trying to convert a field value already containing a float into a float value.

Charaf_Ahmed · July 24, 2018, 9:38am

Should it not also specify the port at the output level ?

Yih_Ashley · July 25, 2018, 2:14am

Thanks a lot...Logstash is already running.....

Yih_Ashley · July 25, 2018, 2:15am

Thanks a lot...Thanks for your explanation....

rcowart · August 4, 2018, 10:54am

@Yih_Ashley as you are processing Suricata data, you might want to also have a look at...

It uses filebeat to tail the eve.json file and send the data to Logstash for processing before it is sent to Elasticsearch and can be visualized in Kibana.

system · September 1, 2018, 10:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.