"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\"

tmrgbox · April 3, 2021, 12:56pm

Hi,
I'm trying to parse a log using the following config:

input {
udp {
port => 5555
type => "esetlog"
add_field => {
"etl_input_port" => 5555
"etl_input_protocol" => "udp"
}

}
}

filter {
if [type] == "esetlog" {
grok {
match => {
"message" => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version} %{TIMESTAMP_ISO8601:syslog_timestamp} (?<server_name>.){"event_type":"%{WORD:event_type}","ipv4":"%{IPV4:device_ip}","hostname":"(?.)","source_uuid":"%{UUID:uuid}","occured":"(?<date_of_event>%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR} %{TIME})","severity":"%{WORD:severity}","(event":"(?.)|threat_type":"(?<threat_type>.))","(source_address":"%{IPV4:source_address}|threat_name":"(?<threat_name>.))","(source_address_type":"%{WORD:source_address_type}|scanner_id":"(?<scanner_id>.))","(source_port":%{NUMBER:source_port}|scan_id":"(?<scan_id>.))(,"|",")(target_address":"%{IPV4:target_address}|engine_version":"(?<engine_version>.))","(object_type":"%{WORD:object_type}|target_address_type":"%{WORD:target_address_type})","(object_uri":"(?.)|target_port":%{NUMBER:target_port})(,"|",")(action_taken":"(?<action_taken>.)|protocol":"%{WORD:protocol})","(threat_handled":%{WORD:threat_handled}|account":"(?.))(,"|",")(need_restart":%{WORD:need_restart}|process_name":"(?<process_name>.))(,"|",")(username":"(?.)|inbound":%{WORD:inbound})(,"|",")(processname":"%{WINPATH:processname}|threat_name":"(?<threat_name>.))","(circumstances":"(?.).","|aggregate_count":%{NUMBER:aggregate_count})(hash":"(?.)")?(})%{GREEDYDATA:error}"
}
}
}
}

This is the error is receive:

[ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 19, column 147 (byte 469) after filter {\n if [type] == \"esetlog\" {\n grok {\n match => {\n \"message\" => \"<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version} %{TIMESTAMP_ISO8601:syslog_timestamp} (?<server_name>.*){\\\"event_type\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:37:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}`

aaron-nimocks · April 3, 2021, 1:33pm

Your data in the message field has " in it and it thinks the string is ending and then goes wacko.

Try wrapping the data in a ' instead.

"message" => 'data goes here and can gave a " in it'

If that doesn't work then you just need to escape all of them /.

tmrgbox · April 4, 2021, 8:14am

Thanks for the help!

system · May 2, 2021, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.