[FATAL] 2018-05-16 09:39:07.354 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, => at line 15, column 10 (byte 170) after

Hello, i've an error in my syslog pipeline but i'm unable to find it !

Can someone help me ?

Error :
[FATAL] 2018-05-16 09:39:07.354 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, => at line 15, column 10 (byte 170) after filter {
if [type] == "syslog"
{
grok
{
if

This is my config file :

#### INPUT SECTION ####
input {
  udp {
    port => 514
    type => syslog
  }
}

#### FILTER SECTION ####
filter {
  if [type] == "syslog"
  {
    grok 
    {
      if [host] == "192.168.102.254"
      {
        match => { "message" => "<%{NUMBER:sequence}>%{NUMBER:sequence}: %{SYSLOGTIMESTAMP:Date}: %%{WORD:Facility}-%{WORD:Facility}-%{INT:Severity}-%{WORD:Mnemonic}: %{GREEDYDATA:Description}"}
      }
      else
      {
        match => { "message" => "<%{NUMBER:sequence}>%{NUMBER:sequence}: %{SYSLOGTIMESTAMP:Date}: %%{WORD:Facility}-%{INT:Severity}-%{WORD:Mnemonic}: %{GREEDYDATA:Description}"}
      }
    }
    mutate {
      remove_field => [ "@index","@version","@type","type","sequence","message"]
      gsub => [
        "Severity", "0", "0 - Emergency",
        "Severity", "1", "1 - Alert",
        "Severity", "2", "2 - Critical",
        "Severity", "3", "3 - Error",
        "Severity", "4", "4 - Warning",
        "Severity", "5", "5 - Notification",
        "Severity", "6", "6 - Informational",
	    "Severity", "7", "7 - Debug"
     ]
    }
    if [Facility] == "LINEPROTO" {
     drop {} 
    }
  }
}

#### OUTPUT SECTION ####
output {
  elasticsearch { 
   hosts => ["localhost:9200"] 
   index => "cisco"
  }
stdout { codec => rubydebug }
}

need add } after this.

Why ? Open it with Notepad++, all } are ok for me

You can't have conditionals inside your grok filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.