Hi,
Myself getting an error after giving an geoIP database separately for geoip city and geoIP country.
Please find the error message below
/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/beats.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2018-07-14 14:10:04.888 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[FATAL] 2018-07-14 14:10:06.369 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, => at line 26, column 7 (byte 1207) after filter {
grok {
match => { "message" => '"remote address" %{IP:remote_address} - "remote user" - ["local time" %{HTTPDATE:time}] "Request" "%{GREEDYDATA:request}" "status code" %{INT:http_status_code} "bytes Transfer" %{NOTSPACE:bytes-transfer} "http_refere ""-" "http user agent" "%{DATA:httpuseragent}" "http x forwaded for" "%{DATA:http_x_forwarded_for}""requesttime" "%{DATA:requesttime}" "upstream time" "%{DATA:upstream_time}"'}
match => { "message" => '%{IP:client_ip} %{NOTSPACE:termination_state} %{NOTSPACE:termination_state} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:http_status_code} %{NOTSPACE:bytes_read} %{GREEDYDATA:http_user_agent}'}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
remove_field => ["timestamp"]
}
geoip {
source => "client_ip"
target => "geoip"
database => "/etc/logstash/GeoLite2-Country_20180605/GeoLite2-Country.mmdb" "/etc/logstash/GeoLite2-Country_20180605/GeoLite2-City.mmdb"
[ERROR] 2018-07-14 14:10:06.387 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
Also please find my beats.conf file
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => '"remote address" %{IP:remote_address} - "remote user" - ["local time" %{HTTPDATE:time}] "Request" "%{GREEDYDATA:request}" "status code" %{INT:http_status_code} "bytes Transfer" %{NOTSPACE:bytes-transfer} "http_refere ""-" "http user agent" "%{DATA:httpuseragent}" "http x forwaded for" "%{DATA:http_x_forwarded_for}""requesttime" "%{DATA:requesttime}" "upstream time" "%{DATA:upstream_time}"'}
match => { "message" => '%{IP:client_ip} %{NOTSPACE:termination_state} %{NOTSPACE:termination_state} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:http_status_code} %{NOTSPACE:bytes_read} %{GREEDYDATA:http_user_agent}'}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
remove_field => ["timestamp"]
}
geoip {
source => "client_ip"
target => "geoip"
database => "/etc/logstash/GeoLite2-Country_20180605/GeoLite2-Country.mmdb" "/etc/logstash/GeoLite2-Country_20180605/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "filebeat"
}