Log stash Configuration Error

Elastic Stack Logstash
1

When I start Logstash I get the below error. I am trying to separate my Gelf and Filebeat input into different indices. Can anyone offer any help?
Inputs:

input {
  gelf {
    host => "10.16.0.5"
    port => 20001
    type => "Gelf"
  }
}

input {
  beats {
    host => "10.16.0.5"
    port => 5044
    type => "Filebeat"
  }
}

Outputs:

 output {
    if [type] == "Gelf"
        {
            elasticsearch {
            hosts => "localhost:9200"
            user => "elastic"
            password => "dshufhu)}Wk47278C*gx@'fe29[=$$/:"
            index => "Gelf-%{+YYYY.MM.dd}"
            }
    else
        {
            elasticsearch {
            hosts => "localhost:9200"
            user => "elastic"
            password => "dshufhu)}Wk47278C*gx@'fe29[=$$/:"
            index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
            }
      }
    }

[2018-01-19T16:48:24,625][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 29, column 23 (byte 425) after output {\nif [type] == "Gelf"\n {\n elasticsearch {\n hosts => "localhost:9200"\n user => "elastic"\n password => dshufhu)}Wk47278C*gx@'fe29[=$$/: index => "Gelf-%{+YYYY.MM.dd}"\n }\nelse\n {\n elasticsearch ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:171:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:335:in `block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:332:in `block in converge_state'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:319:in `converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:in `block in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:343:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

cheers,

G

2 Likes
2

There's a } missing before else.

2 Likes
3

@magnusbaeck cheers for that! I thought it looked about right, I think the } in the password was throwing me off as I was using the PuTTy terminal to check which brackets we're lining up.

Also what type does Logstash ships the logs as? I was wondering what the best way to sort Filebeat logs is, would I sort them on the path field?

Cheers

G

4 
        index => "Gelf-%{+YYYY.MM.dd}"

Index names can't contain uppercase characters.

Also what type does Logstash ships the logs as?

That depends on the output plugin and its codec.

I was wondering what the best way to sort Filebeat logs is, would I sort them on the path field?

You mean how to distinguish between different kinds of logs? Yes, you can use the path to the log but I don't think it's a very good choice. Make sure you create the fields you need in order to keep log events apart. Maybe you want an application name field? That together with the hostname and maybe type of log should be sufficient to uniquely identify a particular event stream.

5

Thanks for all of that, I'll change my config tomorrow and let you know how I get along.

As with separating different types of logs, are you saying to add something like the 'application' field in Filebeat itself?

Cheers,

G

6

As with separating different types of logs, are you saying to add something like the 'application' field in Filebeat itself?

Yes, that's a good idea.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.