Logstasg config error The given configuration is invalid. Reason: Expected one of #, {, } at line 13, column 44 (byte 286) after filter {

Myself getting an below error while testing the config file

The given configuration is invalid. Reason: Expected one of #, {, } at line 13, column 135 (byte 377) after filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{IP:client_ip} %{NOTSPACE:termination_state} %{NOTSPACE:termination_state} [%{HTTPDATE:timestamp}] " {:level=>:fatal}

Please find the below config file

input {
lumberjack {
port => 5043
type => "syslog"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{IP:client_ip} %{NOTSPACE:termination_state} %{NOTSPACE:termination_state} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" %{INT:http_status_code} %{NOTSPACE:bytes_read} %{GREEDYDATA:url}" }

  add_field => [ "received_at", "%{@timestamp}" ]
  add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

}
}

Request you to please suggest me the same

You can't have double quotes inside your double quote-delimited grok expression. Change

match => { "message" => "%{IP:client_ip} ... " }

to

match => { "message" => '%{IP:client_ip} ... ' }

Thanks now the configuration has been passed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.