Recently upgraded to LS 5.6.15 and began receiving the error below. Is this a break in this version of LS? Do you see anything wrong with my config? Thanks.
Error message:
[logstash.filters.csv ] Error parsing csv {:field=>"message"
Config file:
if [message] =~ /^".*"/ {
csv {
columns => ["attack_type","timestamp","dest_ip","dest_port","device_id","geo_location",
"http_class_name","ip_address_intelligence","ip_client","ip_with_route_domain",
"is_truncated","management_ip_address","Method","policy_apply_date","policy_name",
"Protocol","query_string","Request","request_status","response_code",
"route_domain","session_id","Severity","sig_ids","sig_names","sig_set_names",
"src_port","sub_violations","support_id","unit_hostname","Uri","Username",
"violation_details","violation_rating","Violations","virus_name","websocket_direction",
"websocket_message_type","x_forwarded_for_header_value","Response"]
add_tag => ["waf", "asm"]
remove_field => ["message"]
# convert => { "dest_port" => "integer", "response_code" => "integer", "src_port" => "integer" }
}
grok {
#match => [ "timestamp", 'ASM:"%{timestamp}"']
# remove_field => ["message" ]
remove_tag => [ '_grokparsefailure' ]
}
}
else
{
mutate {
add_tag => ["malformed"]
}
}
}
else {
grok {
break_on_match => true
match => [
"message", "%{SYSLOG5424LINE}",
"message", "%{SYSLOGLINE}"
]
}