Logstash cannot start because of Config Error - can't find the issue

So i've reconfigured my logstash-config files - to seperate different logs.
Now if i try to start it - i get the following error:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main,
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of
[ \t\r\n], "#", "input", "filter", "output" at line 9, column 1 (byte 56) after ",

I tried to spot an error in my config - but i cannot see one - here's the config file:

input {
  udp {
    port => 5140
    type => syslog
  }
}
filter {
syslog_pri { }
  date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  if [message] =~ /devname=/ {
    kv {
      source => "message"
    }
    mutate {
        convert => { "cpu" => "integer" }
        convert => { "mem" => "integer" }
        convert => { "disk" => "integer" }
        convert => { "totalsession" => "integer" }
        rename => { "type" => "fgt_type" }
        rename => { "subtype" => "fgt_subtype" }
        add_field => [ "type", "syslog" ]
        add_field => [ "fortilog", 1]
        lowercase => [ "vd" ]

   }
  }
}
output {
    if [type] == "syslog" {
      elasticsearch {
        hosts => ["X.X.X.X"]
        index => "Network"
        user => User
        password => ********
        cacert => '/etc/logstash/certs/ca.crt'
        ssl_certificate_verification => false
  }
 }
}

Can somebody point out my failure? Thanks in advance!

i tested your config with config test and it works fine (no syntax error). are you sure you're pasting right config? your error

indicated syntax error on line 9 of the config. however your line 9 seems to have correct syntax

Hi @Moritz_Kiesewetter - Which version of Logstash are you using? which OS?

Hi,
sorry i forgot to mention it!
I use Logstash v.7.6 on a CentOS 7.

Ok i'm really sorry! I did some trial and error - and found out the faulty config is another one is the same directory :

Faulty Conf:

input {
        udp {
        port => 5140
                type => syslog
                }
        }
if [message] =~ /-esx-/ {
 if [message] =~ /^\S+ \S+ \S+ \S+: \S+ \S+ \[Originator@\d+ [^]]+\] .*$/
    {
      grok {
        match => [ "message", "\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<level>\S+) (?<esxprocess>\S+) \[Originator@\d+ (?<esxsubinfo>[^]]+)\] (?<esxmessage>.*)" ]
      }
      kv {
        source=>"esxsubinfo"
      }
    }
    else {
      grok {
        match => [ "message", "^\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<esxservicemessage>.*)$" ]
      }
    }
}
 output {
      elasticsearch {
        hosts => ["X.X.X.X:9200"]
        index => "VmWare"
        #index => "VmWare-%{+YYYY.MM.dd}"
        user => USER
        password => *****
        cacert => '/etc/logstash/certs/ca.crt'
        ssl_certificate_verification => false

  }
}

If i test the conf - it says there is an error :

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 7, column 1 (byte 54) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:47:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:55:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:17:in block in compile_sources'", "org/jruby/RubyArray.java:2580:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:14:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:161:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}

I checked it with the old conf - but cannot find the issue

@Moritz_Kiesewetter - filter keyword is missing :slight_smile:

I see - added it :slight_smile: Now it works! Thanks a lot.

1 Like