HELP for debug log stash config

Elastic Stack Logstash
1

Hello guys!

I want to evalute a custom log. When I test %{HSMFORMAT} on the online grok debugger has no problem with that.

If i use it in my config file i got an _grokparsefailure tag. My logstash version is 5.2.2
This is my config:

input {
  file {
    path => "/usr/share/logstash/log/hsm.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
filter {
  grok {
    patterns_dir => ["/usr/share/logstash/pattern"]
    match => { "item" => "%{HSMFORMAT}" }
  }
}
output {
  stdout {
	codec => rubydebug
  }
}

My pattern:

HEX [0-9A-F]{8}
YEAR (?>\d\d){1,2}
MONTHNUM2 (?:0[1-9]|1[0-2])
MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
DATE_EVENT %{YEAR}/%{MONTHNUM2}/%{MONTHDAY} %{TIME}
HSMFORMAT %{DATE_EVENT:data} %{HEX:tid} %{HEX:crt} %{HEX:cid} %{GREEDYDATA:mensagem}

And some test rows log:

2017/03/17 16:17:28 B77C16E0 00000001 000A2201 SL_BE DATABASE RESETTED. LOG ERASED.
2017/03/17 16:17:28 B77C16E0 00000002 000A2201 log: i-buffers closed.
2017/03/17 16:17:59 B77626E0 00000001 000A3301 initializing server request-pipeline
2017/03/17 16:17:59 B77626E0 00000002 000A3301 operating with stacks (1024, 1024)
2017/03/17 16:17:59 B77626E0 00000003 000A3301 open files (20480, 20480)
2017/03/17 16:17:59 B77626E0 00000004 000A3301 max file size (FFFFFFFF, FFFFFFFF)
2017/03/17 16:17:59 B77626E0 00000005 000A3301 max mlock size (08000000, 08000000)
2017/03/17 16:17:59 B77626E0 00000006 000A3301 OEM serial number info SN TCA0000000
2017/03/17 16:17:59 B77626E0 00000007 000A3301 libcrypto hdr 1.0.0
2017/03/17 16:17:59 B77626E0 00000008 000A3301 libcrypto dl 1000203F

Is something wrong with the syntax?

Thks in advance!!!

2

You've configured your grok filter to match against an item field but your events don't have such a field (yet, anyway). Changing to message will work better.

3

Great!!!! It works. Thank a lot!!!!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.