JSON parser error

Hello,

This is my logstash configuration below:

filter {
grok {
match => { "message" => "%{SYSLOG5424PRI:syslog_index}-\s*%{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
}
json {
source => "syslog_message"
}

Here is below the error displayed :

[2021-04-26T17:38:20,855][WARN ][logstash.codecs.jsonlines][main][533b154c49ba0c3c537b0d48bd34f3c6f861d2d2a4d8cd6ed52e613545983ddf] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (String)"<01>- hostname {"name":"ELK","version":"1.0","isoTimeFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"traffic","category":"accept","protocolID":"17","sev":"0","src":"192.168.30.2","dst":"10.167.254.5","srcPort":"42494","dstPort":"161","relevance":"5","credibility":"5","startTimeEpoch":"1619451526888","startTimeISO":"2021-04-26T17:38:46.888+02:00","storageTimeEpoch":"1619451526888","storageTimeISO":"2021-04-26T17:38:46.888+02:00","deploymentID":"5c15c102-a647-11ea-8226-00505601062b","devTimeEpoch":"1"[truncated 1541 chars]; line: 1, column: 2]>, :data=>"<01>- hostname {"name":"ELK","version":"1.0","isoTimeFormat":"yyyy-MM-dd'T'HH:mm:ss.SSSZ","type":"traffic","category":"accept","protocolID":"17","sev":"0","src":"192.168.30.2","dst":"10.167.254.5","srcPort":"42494","dstPort":"161","relevance":"5","credibility":"5","startTimeEpoch":"1619451526888","startTimeISO":"2021-04-26T17:38:46.888+02:00","storageTimeEpoch":"1619451526888","storageTimeISO":"2021-04-26T17:38:46.888+02:00","deploymentID":"5c15c102-a647-11ea-8226-00505601062b","devTimeEpoch":"1619451441000","devTimeISO":"2021-04-26T17:37:21.000+02:00","srcPreNATPort":"0","dstPreNATPort":"0","srcPostNATPort":"0","dstPostNATPort":"0","hasIdentity":"false","payload":"<189>logver=604055651 timestamp=1619451441 tz=\"UTC+2:00\" devname=\"DCL0001FW\" devid=\"FG100FTK20004077\" vd=\"VPN-PARTNER\" date=2021-04-26 time=17:37:21 eventtime=1619451441728721200 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=192.168.30.2 srcport=42494 srcintf=\"To-SUP_SFR\" srcintfrole=\"undefined\" dstip=10.167.254.5 dstport=161 dstintf=\"MPLS\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=1300708441 proto=17 action=\"accept\" policyid=245 policytype=\"policy\" poluuid=\"f12a6f26-2983-51eb-5b11-8c3c06c9abb6\" policyname=\"Supervision_CES\" service=\"SNMP\" trandisp=\"noop\" duration=180 sentbyte=146 rcvdbyte=191 sentpkt=1 rcvdpkt=1 vpn=\"To-SUP_SFR\" vpntype=\"ipsec-static\" appcat=\"unscanned\"\n","eventCnt":"1","domainID":"4","domainName":"Decathlon_N1","eventName":"Firewall Permit","lowLevelCategory":"Firewall Permit","highLevelCategory":"Access","eventDescription":"Firewall Permit","protocolName":"udp","logSource":"FortiGate @ 192.168.0.3","srcNetName":"Net-10-172-192.Net_192_168_0_0","dstNetName":"Net-10-172-192.Net_10_0_0_0","logSourceType":"Fortinet FortiGate Security Gateway","logSourceGroup":"1H,Production,SUPERVISION","logSourceIdentifier":"192.168.0.3","BytesReceived":"191","BytesSent":"146","Application Category":"unscanned","Subtype":"forward"}"}

I need help setting up logstash parsing
Regards,

The error is coming from the json_lines codec, not the json filter. A codec on the input will be trying to parse [message], not [syslog_message], which does not exist until after the grok filter has executed.

This is below my input:

input {
tcp {
port => "5141"
codec => json
type => "syslog"
}
}

I don't know where the problem is coming from.

Remove this.

I will remove the codec. And I will observe the result by tomorrow.

Thank you Badger.
Its good

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.