Hi,
I have Logstash to pick up Snort Alerts, but i have had this error and i don't know why.
Error:
logstash | [2021-06-22T08:55:53,809][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 9, column 67 (byte 190) after filter {\n dissect { mapping => { \"message\" => \"%{ts} [%{trash}] [%{fd1}] \"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:367:in `block in converge_state'"]}
Logstash.conf file:
input {
file {
path => "/var/log/snort/alert_fast.txt"
start_position => "beginning"
}
}
filter {
dissect { mapping => { "message" => "%{ts} [%{trash}] [%{fd1}] "%{alert}" [%{fd2}} %{ip_ori}:%{port_ori} %{fd3} %{ip_dest}:%{port_dest}" }>
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "logstash-snort3a"
}
stdout { }
}