Error when starting up Logstash

sud0 · October 3, 2019, 11:11pm

When starting Logstash, I get the following error:

[2019-10-03T23:04:46,420][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-10-03T23:04:46,431][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.4.0"}
[2019-10-03T23:04:47,189][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 3, column 5 (byte 37) after     # Apache B2B access filter\n\n    ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2584:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in `block in converge_state'"]}
[2019-10-03T23:04:47,533][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-10-03T23:04:52,401][INFO ][logstash.runner          ] Logstash shut down.

My logstash.conf file:

    if [type] == "apache_b2b_access_log" {

        mutate {
            replace => { 'host' => 'webserver.datacentre.example.com' }
            add_field => { 'environment' => 'production'
                           'service' => 'apache_proxy'
            }
        }

        grok {
            match => {
                "message" => "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{TIME}),%{SPACE}%{IPORHOST:clientip},%{SPACE}%{NUMBER:port},%{SPACE}%{NUMBER:start_time},%{SPACE}%{NUMBER:end_time},%{SPACE}(?:%{NUMBER:bytes_delivered}|.*),%{SPACE}(?:%{WORD:reference}|.*),%{SPACE}%{WORD:method},%{SPACE}%{NUMBER:status_code},%{SPACE}%{URIPATHPARAM:request_uri},%{SPACE}%{GREEDYDATA:general_data}"
            }strong text
        }

        date {
            match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
            target => "@timestamp"
        }
    }

# Elastic setup

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "mw-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

I have got that logstash.conf file for ages... and maybe with the new version of logstash some parameters have changed?

Thanks!

Badger · October 4, 2019, 1:06pm

That's not a valid logstash.conf (it never starts the filter section) and does not contain the text that logstash complains about, so clearly either the quote is incomplete or you have another file as part of your configuration.

sud0 · October 7, 2019, 1:30am

You're right... my logstash.conf file was not correct. After getting it fixed, logstash is working fine. Thanks!

system · November 4, 2019, 1:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.