Nithani25
August 13, 2018, 6:35am
1
Hi Team,
Filebeat Input:
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
enabled: true
paths:
/home/patcat/roddock_webservices/error*. .
/home/patcat/paddock_webservices/error*. .
paths:
/home/patcat/roddock_webservices/access*.*
/home/patcat/paddock_webservices/access*.*
exclude_lines: ['a10hm/1.0']
Logstash Conf file:
input {
Quick assistance is of high value. Thanks.
Always quote the full error message. You're not even saying if it's Logstash or Filebeat that's complaining.
overwrite => [ "message" ]
This belongs inside a grok filter.
Nithani25
August 13, 2018, 7:02am
3
Sorry, My bad the problem occurs while executing the logstash conf file. Also tried including the overwrite within grok filter...
[2018-08-13T00:01:10,736][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of #, => at line 10, column 32 (byte 306) after filter {
overwrite => { "message"
This indicates that your configuration contains overwrite => { "message" } which is wrong. overwrite => [ "message" ] is correct.
Nithani25
August 13, 2018, 9:03am
5
Yes i agree, but i have done that change but still very similar issue with output section.
[2018-08-13T01:56:28,376][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of #, => at line 35, column 11 (byte 938) after filter {
Looks like you're not closing the if [log_type] == "apache_access" { conditional.
Nithani25
August 13, 2018, 10:05am
7
Yes closing the if condition resolved it , but the overwrite filter didn't have any impact i could only see the message filed being present in the output logs.
{https://roddoc.patqa.corp.rrk.com/profile-web/signin " "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) lixconnx7660.corp.rrk.com ",xconnx7660.corp.rrk.com "@version " => "1",@timestamp " => 2018-08-13T09:58:43.635Z,xconnx7660.corp.rrk.com "
None of your filters execute since the log_typefield isn't set.
Nithani25
August 13, 2018, 11:09am
9
Yes, how do i fix it, is it the right forum or should i raise a separate request for this!
We can continue here. Please post your Filebeat configuration formatted as preformatted text (use the </> toolbar button or markdown notation) so we can see exactly what it looks like.
Nithani25
August 13, 2018, 11:34am
11
Only apache_access got picked up here and not apache_errors...
As I said I want to see the configuration formatted as preformatted text.
Nithani25
August 13, 2018, 12:07pm
13
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
- type: log
enabled: true
paths:
- /home/patcat/roddock_webservices/error*.*.*
- /home/patcat/paddock_webservices/error*.*.*
fields:
log_type: apache_error
fields_under_root: true
paths:
- /home/patcat/roddock_webservices/access*.*
- /home/patcat/paddock_webservices/access*.*
fields:
log_type: apache_access
fields_under_root: true
exclude_lines: ['a10hm/1.0']
#============================= Filebeat modules ===============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
#==================== Elasticsearch template setting ==========================
#setup.template.settings:
#index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["localhost:5070"]
Does it suffice!
Nithani25
August 14, 2018, 9:16am
14
Hi,
system
September 11, 2018, 9:16am
15
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.