Logstash agent failed to execute action

I'm trying to configure logstash to take in logs from my apache error.log file but it keeps throwing this error

[logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\" at line 9, column 18 (byte 92) after filter {\n  grok {\n    match => {\n    \"message\" => ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:392:in `block in converge_state'"]}

This is my config file

input {
  beats {
    port => 5044
  }
}
filter {
  grok {
    match => {
    "message" => \[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] \[%{WORD:log_type}:%{LOGLEVEL:log_level}\] \[pid %{NUMBER:pid}\] (?:\[client %{IP:client_ip}:%{NUMBER:client_port}\] ){0,1}%{GREEDYDATA:message}
    }
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "filebeat-modsec-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "password"
    ssl => true
    ssl_certificate_verification => false
  }
}

EDIT: I have noticed my mistake where i did not put "" around the grok message.

OK, so you no longer have a problem, right?

yup, this issue is solved

1 Like