So i've reconfigured my logstash-config files - to seperate different logs.
Now if i try to start it - i get the following error:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main,
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of
[ \t\r\n], "#", "input", "filter", "output" at line 9, column 1 (byte 56) after ",
I tried to spot an error in my config - but i cannot see one - here's the config file:
input {
udp {
port => 5140
type => syslog
}
}
filter {
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
if [message] =~ /devname=/ {
kv {
source => "message"
}
mutate {
convert => { "cpu" => "integer" }
convert => { "mem" => "integer" }
convert => { "disk" => "integer" }
convert => { "totalsession" => "integer" }
rename => { "type" => "fgt_type" }
rename => { "subtype" => "fgt_subtype" }
add_field => [ "type", "syslog" ]
add_field => [ "fortilog", 1]
lowercase => [ "vd" ]
}
}
}
output {
if [type] == "syslog" {
elasticsearch {
hosts => ["X.X.X.X"]
index => "Network"
user => User
password => ********
cacert => '/etc/logstash/certs/ca.crt'
ssl_certificate_verification => false
}
}
}
Can somebody point out my failure? Thanks in advance!
i tested your config with config test and it works fine (no syntax error). are you sure you're pasting right config? your error
Moritz_Kiesewetter:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main,
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of
[ \t\r\n], "#", "input", "filter", "output" at line 9, column 1 (byte 56) after ",
indicated syntax error on line 9 of the config. however your line 9 seems to have correct syntax
ropc
(Romain Chanu)
May 14, 2020, 9:14am
3
Hi @Moritz_Kiesewetter - Which version of Logstash are you using? which OS?
Hi,
sorry i forgot to mention it!
I use Logstash v.7.6 on a CentOS 7.
Ok i'm really sorry! I did some trial and error - and found out the faulty config is another one is the same directory :
Faulty Conf:
input {
udp {
port => 5140
type => syslog
}
}
if [message] =~ /-esx-/ {
if [message] =~ /^\S+ \S+ \S+ \S+: \S+ \S+ \[Originator@\d+ [^]]+\] .*$/
{
grok {
match => [ "message", "\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<level>\S+) (?<esxprocess>\S+) \[Originator@\d+ (?<esxsubinfo>[^]]+)\] (?<esxmessage>.*)" ]
}
kv {
source=>"esxsubinfo"
}
}
else {
grok {
match => [ "message", "^\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<esxservicemessage>.*)$" ]
}
}
}
output {
elasticsearch {
hosts => ["X.X.X.X:9200"]
index => "VmWare"
#index => "VmWare-%{+YYYY.MM.dd}"
user => USER
password => *****
cacert => '/etc/logstash/certs/ca.crt'
ssl_certificate_verification => false
}
}
If i test the conf - it says there is an error :
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 7, column 1 (byte 54) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:47:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:55:in
compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:17:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in
map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:14:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in
initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in
initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in
block in converge_state'"]}
I checked it with the old conf - but cannot find the issue
ropc
(Romain Chanu)
May 14, 2020, 9:39am
7
@Moritz_Kiesewetter - filter
keyword is missing
I see - added it Now it works! Thanks a lot.
1 Like
system
(system)
Closed
June 11, 2020, 9:42am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.