Logstash 'compile_imperative' error

Hi,
I have Logstash to pick up Snort Alerts, but i have had this error and i don't know why.

Error:

logstash         | [2021-06-22T08:55:53,809][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 9, column 67 (byte 190) after filter {\n  dissect { mapping => { \"message\" => \"%{ts} [%{trash}] [%{fd1}] \"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:367:in `block in converge_state'"]}

Logstash.conf file:

input {
    file {
        path => "/var/log/snort/alert_fast.txt"
        start_position => "beginning"
    }
}

filter {
  dissect { mapping => { "message" => "%{ts} [%{trash}] [%{fd1}] "%{alert}" [%{fd2}} %{ip_ori}:%{port_ori} %{fd3} %{ip_dest}:%{port_dest}" }>

output {
    elasticsearch {
        hosts => "http://localhost:9200"
        index => "logstash-snort3a"
    }
    stdout { }
}

Hi,

You have to place a backslash in front of the quotes around {alert}. They split your regex.

Cad.

I just realized it , i used this solution:

dissect { mapping => { "message" => '%{ts} [%{trash}] [%{fd1}] "%{alert}" [%{fd2}} %{ip_ori}:%{port_ori} %{fd3} %{ip_dest}:%{port_dest}' }}

Thanks :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.