Error when starting up Logstash

Elastic Stack Logstash
1

When starting Logstash, I get the following error:

[2019-10-03T23:04:46,420][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-10-03T23:04:46,431][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.4.0"}
[2019-10-03T23:04:47,189][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 3, column 5 (byte 37) after     # Apache B2B access filter\n\n    ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2584:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in `block in converge_state'"]}
[2019-10-03T23:04:47,533][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-10-03T23:04:52,401][INFO ][logstash.runner          ] Logstash shut down.

My logstash.conf file:

    if [type] == "apache_b2b_access_log" {

        mutate {
            replace => { 'host' => 'webserver.datacentre.example.com' }
            add_field => { 'environment' => 'production'
                           'service' => 'apache_proxy'
            }
        }

        grok {
            match => {
                "message" => "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{TIME}),%{SPACE}%{IPORHOST:clientip},%{SPACE}%{NUMBER:port},%{SPACE}%{NUMBER:start_time},%{SPACE}%{NUMBER:end_time},%{SPACE}(?:%{NUMBER:bytes_delivered}|.*),%{SPACE}(?:%{WORD:reference}|.*),%{SPACE}%{WORD:method},%{SPACE}%{NUMBER:status_code},%{SPACE}%{URIPATHPARAM:request_uri},%{SPACE}%{GREEDYDATA:general_data}"
            }strong text
        }

        date {
            match => ["timestamp", "YYYY-MM-dd HH:mm:ss"]
            target => "@timestamp"
        }
    }

# Elastic setup

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "mw-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

I have got that logstash.conf file for ages... and maybe with the new version of logstash some parameters have changed?

Thanks!

2

That's not a valid logstash.conf (it never starts the filter section) and does not contain the text that logstash complains about, so clearly either the quote is incomplete or you have another file as part of your configuration.

3

You're right... my logstash.conf file was not correct. After getting it fixed, logstash is working fine. Thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.