Hello,
Currently I have logstash as a centralized syslog server.
I want to send to Elasticsearch only syslog messages with priority warn and above.
So, I create the following configuration file:
input {
tcp {
port => 5514
type => syslog
}
udp {
port => 5514
type => syslog
}
}
# Apply some filters
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
## Send the message to Elasticsearch
output {
if [syslog_severity_code]<5 {
elasticsearch {
hosts => ['http://localhost:9200']
index => "syslog-%{+YYYY.MM.dd}"
document_type => "system_logs"
}
}
}
However, all I get is this error message in the logs:
[2020-02-13T12:18:17,156][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-02-13T12:18:17,859][ERROR][org.logstash.execution.WorkerLoop][main] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash.
java.lang.NullPointerException: null
Removing the if... everything works as expected.
Is there anything wrong with this condition?
If so, how can I send to ES only the messages with severity higher than warn?
Thank you,