Hi
ELK installed on Windows 2012 R2 and trying to capture Exchange message tracking. Everything is in D:\ELK and have ELK 5.3.2.
Running the command:
D:\ELK\logstash-5.3.2\bin\logstash -f D:\ELK\logstash-5.3.2\01-inputs.conf\exchange_msg_trk.conf --debug
...I get this error:
14:47:16.131 [LogStash::Runner] ERROR logstash.agent - Cannot load an invalid configuration {:reason=>"Expected one of #, } at line 38, column 32 (byte 1315) after output {\n elasticsearch { host => 127.0", :backtrace=>["D:/ELK/logstash-5.
My exchange_msg_trk.conf looks like this:
#udp syslogs stream via 5141
input {
udp {
type => "Exchange"
port => 5141
}
}
filter {
if [type] == "Exchange" {
csv {
add_tag => [ 'exh_msg_trk' ]
columns => ['logdate', 'client_ip', 'client_hostname', 'server_ip', 'server_hostname', 'source_context', 'connector_id', 'source', 'event_id', 'internal_message_id', 'message_id', 'network_message_id', 'recipient_address', 'recipient_status', 'total_bytes', 'recipient_count', 'related_recipient_address', 'reference', 'message_subject', 'sender_address', 'return_path', 'message_info', 'directionality', 'tenant_id', 'original_client_ip', 'original_server_ip', 'custom_data']
remove_field => [ "logdate" ]
}
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ]
}
mutate {
convert => [ "total_bytes", "integer" ]
convert => [ "recipient_count", "integer" ]
split => ["recipient_address", ";"]
split => [ "source_context", ";" ]
split => [ "custom_data", ";" ]
}
date {
match => [ "timestamp", "ISO8601" ]
timezone => "Europe/London"
remove_field => [ "timestamp" ]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}
output {
elasticsearch { hosts => 10.20.0.29:9200 }
stdout { codec => rubydebug }
}
I have tried all permutations I can think of for hosts => localhost, 127.0.0.1, hostname, with and without quotes, checked the file for invalid characters and am at a loss in solving this.
Could someone look at this with a fresh pair of eyes?
Thanks