Error in Logstash gork filter

Elastic Stack Logstash
1

Hi,

I tried to structure the syserr log, and i'm getting some error. Please anyone guide me how to proceed.

Log file sample

[1/8/18 14:08:22:395 IST] 0000007a SystemErr R com.ibm.ws.persistence.WsJpaProductDerivation:java.lang.ClassNotFoundException: com.ibm.ws.persistence.WsJpaProductDerivation
[1/8/18 14:08:22:453 IST] 0000007a SystemErr R 18 jpa-unit-rdbms WARN [server.startup : 2] openjpa.Runtime - Could not create the optional validation provider. Reason returned: "A default ValidatorFactory could not be created."
[1/8/18 14:08:22:848 IST] 0000007a SystemErr R 413 jpa-unit-rdbms INFO [server.startup : 2] openjpa.jdbc.JDBC - Using dictionary class "org.apache.openjpa.jdbc.sql.OracleDictionary" (Oracle Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options ,Oracle JDBC driver 12.1.0.2.0).
[1/8/18 14:08:22:854 IST] 0000007a SystemErr R 419 jpa-unit-rdbms INFO [server.startup : 2] openjpa.jdbc.JDBC - Connected to Oracle version 12.12 using JDBC driver Oracle JDBC driver version 12.1.0.2.0.
[1/8/18 14:08:22:899 IST] 0000007a SystemErr R 464 jpa-unit-rdbms INFO [server.startup : 2] openjpa.Runtime - Starting OpenJPA 2.4.0
[1/8/18 14:08:28:771 IST] 00000079 SystemErr R Some product derivations are being skipped. For information about product derivation status, run:
java org.apache.openjpa.lib.conf.ProductDerivations
[1/8/18 14:08:28:771 IST] 00000079 SystemErr R com.ibm.ws.persistence.WsJpaProductDerivation:java.lang.ClassNotFoundException: com.ibm.ws.persistence.WsJpaProductDerivation
[1/8/18 14:08:28:830 IST] 00000079 SystemErr R 26 PushPU-oracle INFO [server.startup : 1] openjpa.Runtime - Starting OpenJPA 2.4.1
[1/8/18 14:08:28:849 IST] 00000079 SystemErr R 45 PushPU-oracle INFO [server.startup : 1] openjpa.jdbc.JDBC - Using dictionary class "org.apache.openjpa.jdbc.sql.OracleDictionary".
[1/8/18 14:08:28:864 IST] 00000079 SystemErr R 60 PushPU-oracle INFO [server.startup : 1] openjpa.jdbc.JDBC - Connected to Oracle version 12.12 using JDBC driver Oracle JDBC driver version 12.1.0.2.0.
[1/8/18 14:08:42:921 IST] 0000007a SystemErr R Some product derivations are being skipped. For information about product derivation status, run:
java org.apache.openjpa.lib.conf.ProductDerivations
[1/8/18 14:08:42:921 IST] 0000007a SystemErr R com.ibm.ws.persistence.WsJpaProductDerivation:java.lang.ClassNotFoundException: com.ibm.ws.persistence.WsJpaProductDerivation
[1/8/18 14:08:42:947 IST] 0000007a SystemErr R 9 WorklightManagementPU-oracle WARN [server.startup : 2] openjpa.Runtime - Could not create the optional validation provider. Reason returned: "A default ValidatorFactory could not be created."
[1/8/18 14:08:42:956 IST] 0000007a SystemErr R 1 WorklightManagementPU-oracle WARN [server.startup : 2] openjpa.Runtime - Could not create the optional validation provider. Reason returned: "A default ValidatorFactory could not be created."
[1/8/18 14:08:43:636 IST] 0000007a SystemErr R 681 WorklightManagementPU-oracle INFO [server.startup : 2] openjpa.Runtime - Starting OpenJPA 2.4.1
[1/8/18 14:08:43:646 IST] 0000007a SystemErr R 691 WorklightManagementPU-oracle INFO [server.startup : 2] openjpa.jdbc.JDBC - Using dictionary class "org.apache.openjpa.jdbc.sql.OracleDictionary".
[1/8/18 14:08:43:657 IST] 0000007a SystemErr R 702 WorklightManagementPU-oracle INFO [server.startup : 2] openjpa.jdbc.JDBC - Connected to Oracle version 12.12 using JDBC driver Oracle JDBC driver version 12.1.0.2.0.
[1/8/18 14:10:18:440 IST] 00000078 SystemErr R log4j:WARN No appenders could be found for logger (org.apache.cxf.common.logging.LogUtils).
[1/8/18 14:10:18:440 IST] 00000078 SystemErr R log4j:WARN Please initialize the log4j system properly.
[1/8/18 14:10:18:440 IST] 00000078 SystemErr R log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
[1/8/18 14:10:22:802 IST] 00000135 SystemErr R 99864 WorklightManagementPU-oracle INFO [Default : 2] openjpa.Runtime - Starting OpenJPA 2.4.1
[1/8/18 14:10:22:804 IST] 00000135 SystemErr R 99866 WorklightManagementPU-oracle INFO [Default : 2] openjpa.jdbc.JDBC - Using dictionary class "org.apache.openjpa.jdbc.sql.OracleDictionary".
[1/8/18 14:10:22:808 IST] 00000135 SystemErr R 99870 WorklightManagementPU-oracle INFO [Default : 2] openjpa.jdbc.JDBC - Connected to Oracle version 12.12 using JDBC driver Oracle JDBC driver version 12.1.0.2.0.
[1/17/18 17:32:30:066 IST] 0000016f SystemErr R java.lang.IllegalArgumentException: Illegal status value : 0
[1/17/18 17:32:30:066 IST] 0000016f SystemErr R at org.apache.cxf.jaxrs.impl.ResponseBuilderImpl.status(ResponseBuilderImpl.java:78)
[1/17/18 17:32:30:067 IST] 0000016f SystemErr R at javax.ws.rs.core.Response.status(Response.java:613)
[1/17/18 17:32:30:068 IST] 0000016f SystemErr R at sun.reflect.GeneratedMethodAccessor215.invoke(Unknown Source)
[1/17/18 17:32:30:068 IST] 0000016f SystemErr R at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[1/17/18 17:32:30:068 IST] 0000016f SystemErr R at java.lang.reflect.Method.invoke(Method.java:508)
[1/17/18 17:32:30:068 IST] 0000016f SystemErr R at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)

2

My config File --

input {
file{
path => "/path/of/my/log/file/SystemErr.log"
start_position => "beginning"
}
}

filter {
grok {
match =>
{
"message" => "%{SYSLOG5424SD:time} %{NOTSPACE:id1} %{WORD:errortype}\s\s\s\s %{WORD:id2}\s%{WORD:check}"
}
}

if [check] == " " {
grok
{
match =>
{
"message" => "%{WORD:id3} %{URIHOST}(%{JAVACLASS}:%{NUMBER:errorclass}) "
}
}
}

if [check] == "java.*" {
grok
{
match =>
{
"message" => "%{URIHOST}:%{CISCO_REASON}:%{Number:statusvalue} "
}
}
}

if [check] == "log4j:*" {
grok
{
match =>
{
"message" => "log4j:WARN %{CISCO_REASON} (%{URIHOST}). "
}
}
}
}

output {
stdout {}
elasticsearch{
hosts => "x.x.x.x"
index => "system_error_log_x"
}

}

Error in Logstash terminal

Sending Logstash logs to /app/install/logstash-6.4.2/logs which is now configured via log4j2.properties
[2018-12-04T12:57:44,934][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-12-04T12:57:45,754][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.4.2"}
[2018-12-04T12:57:52,267][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-12-04T12:57:52,804][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://x.x.x.x:9200/]}}
[2018-12-04T12:57:52,815][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://x.x.x.x:9200/, :path=>"/"}
[2018-12-04T12:57:53,059][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://x.x.x.x:9200/"}
[2018-12-04T12:57:53,127][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-12-04T12:57:53,131][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-12-04T12:57:53,170][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//x.x.x.x"]}
[2018-12-04T12:57:53,194][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-12-04T12:57:53,233][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-12-04T12:57:53,521][ERROR][logstash.pipeline ] Error registering plugin {:pipeline_id=>"main", :plugin=>"#<LogStash::FilterDelegator:0x6f7a1952 @metric_events_out=org.jruby.proxy.org.logstash.instrument.metrics.counter.LongCounter$Proxy2 - name: out value:0, @metric_events_in=org.jruby.proxy.org.logstash.instrument.metrics.counter.LongCounter$Proxy2 - name: in value:0, @metric_events_time=org.jruby.proxy.org.logstash.instrument.metrics.counter.LongCounter$Proxy2 - name: duration_in_millis value:0, @id="9c030f9b6ff707c026be39d193338171a60b2c9f46176b22ee2cc685c628100a", @klass=LogStash::Filters::Grok, @metric_events=#LogStash::Instrument::NamespacedMetric:0x3c33faa0, @filter=<LogStash::Filters::Grok match=>{"message"=>"%{URIHOST}:%{CISCO_REASON}:%{Number:statusvalue} "}, id=>"9c030f9b6ff707c026be39d193338171a60b2c9f46176b22ee2cc685c628100a", enable_metric=>true, periodic_flush=>false, patterns_files_glob=>"*", break_on_match=>true, named_captures_only=>true, keep_empty_captures=>false, tag_on_failure=>["_grokparsefailure"], timeout_millis=>30000, tag_on_timeout=>"_groktimeout">>", :error=>"pattern %{Number:statusvalue} not defined", :thread=>"#<Thread:0x727640eb run>"}
[2018-12-04T12:57:53,944][ERROR][logstash.pipeline ] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{Number:statusvalue} not defined>, :backtrace=>["/app/install/logstash-6.4.2/vendor/bundle/jruby/2.3.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:123:in block in compile'", "org/jruby/RubyKernel.java:1292:inloop'", "/app/install/logstash-6.4.2/vendor/bundle/jruby/2.3.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:93:in compile'", "/app/install/logstash-6.4.2/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:281:inblock in register'", "org/jruby/RubyArray.java:1734:in each'", "/app/install/logstash-6.4.2/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:275:inblock in register'", "org/jruby/RubyHash.java:1343:in each'", "/app/install/logstash-6.4.2/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.3/lib/logstash/filters/grok.rb:270:inregister'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:242:in register_plugin'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:253:inblock in register_plugins'", "org/jruby/RubyArray.java:1734:in each'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:253:inregister_plugins'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:595:in maybe_setup_out_plugins'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:263:instart_workers'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:200:in run'", "/app/install/logstash-6.4.2/logstash-core/lib/logstash/pipeline.rb:160:inblock in start'"], :thread=>"#<Thread:0x727640eb run>"}
[2018-12-04T12:57:53,968][ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}
[user@server bin]$

Please let me know i'm doing it in a right way (or) Guide me how to read the above log

3

Appreciate your response :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.