Filebeats to logstash _grokparsefailure, direct to ES is fine

jwh · March 7, 2016, 8:33pm

I'm having issues sending syslog to logstash using filebeat, when logstash received the entry it produces a _grokparsefailure. However if I send directly to ES everything works fine.

My logstash config is http://pastebin.com/si3vPDcE and it includes an example log line that was sent by my beats prospector. I've tested the message against the grok pattern at https://grokdebug.herokuapp.com and everything seems to be good.

Any help would be appreciated.
Thanks.
jwh

mentioning:
@andrewkroh

jwh · March 7, 2016, 9:42pm

Ok, issue fixed.

I was trying to parse the files as though they had arrived via RELP, once I removed the grok statement completely the logs started parsing without issue.

Topic		Replies	Views
Parsing logback log files with filebeat and sending them to Elasticsearch Beats	15	26180	July 5, 2017
Filebeat --> Logstash works but directly to Elasticsearch = nothing Beats filebeat	5	542	April 10, 2018
Filebeat to Logstash, Logstash to Elasticsearch Elasticsearch	2	500	May 6, 2019
What the different beats to es and beats to logstash to es Beats	7	1474	July 5, 2017
Filebeat is not sending Logs to Logstash Beats filebeat	1	324	February 3, 2021

Filebeats to logstash _grokparsefailure, direct to ES is fine

Related topics