Logstash conf problem

Jpuch · April 14, 2016, 2:17pm

Hi,

I have a problem with logstash, when i add a grok filter, logstash seem to stop sending data to ES or kibana.

My data come by udp protocol on port 514

here is my filter conf file (the ELK system is working fine at this point)

filter {
#  if [type] == "syslog" {
#    syslog_pri { }
#    date {
#      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
#      match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
#    }
#  }


####FILTER ESX

if [host] == "IPESX1" or [host] == "IPESX2" {
	grok{
		break_on_match => true
		match => [
		"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}:\s%{WORD:esx_syslog_level}\s%{SYSLOGPROG}\[%{DATA:esx_thread_id}\]\s\[%{DATA} sub=%{DATA:esx_sub} opID=%{DATA:esx_opID}\]\s\[%{DATA:esx_msg_service_info}\]\s%{GREEDYDATA:esx_msg}",
		"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}:\s%{WORD:esx_syslog_level}\s%{SYSLOGPROG}\[%{DATA:esx_thread_id}\]\s\[%{DATA} sub=%{DATA:esx_sub}\]\s%{DATA:esx_msg_service_info}\s:%{GREEDYDATA:esx_msg}",{SYSLOGPROG}\[%{DATA:esx_thread_id}\]\s\[%{DATA} sub=%{DATA:esx_sub}\]\s%{DATA:esx_msg_service_info}:%{GREEDYDATA:esx_msg}",
		"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}:\s%{WORD:esx_syslog_level}\s%{GREEDYDATA:esx_msg}",
		"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}\[%{DATA:esx_thread_id}\]:%{GREEDYDATA:esx_msg}",
		"message", "<%{POSINT:syslog_pri}>-->\s\[%{DATA:msg}\]",
		"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}: %{GREEDYDATA:msg}",
		"message", "<%{POSINT:syslog_pri}>%{UUID:esx_uuid}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}:\s%{GREEDYDATA:msg}"
		
		]
		add_tag => [ "esx" ]

	}
	mutate {
        replace => [ "@message", "%{msg}" ]
	}
	
	
	if "Rejected password" in [message] and "cpu" in [message] {
        grok {
            break_on_match => false
            match => [
                "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}: %{GREEDYDATA:msg}"
            ]
			add_tag => [ "esx" ]
        }
	}
	if "Section for VMware" in [message] {
        grok {
            break_on_match => false
            match => [
                "message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp}\s%{SYSLOGHOST:esx_syslog_hostname}\s%{SYSLOGPROG:esx_syslog_program}: %{GREEDYDATA:msg},\spid=%{NUMBER:esx_pid},\sversion=%{DATA:esx_version},\sbuild=%{NUMBER:esx_build},\soption=%{WORD:esx_option}"
            ]
			add_tag => [ "esx" ]
        }
	}

}


}



 filter {
  if [type] == "nxlog" {
    json {
      source => "message"
    }
    mutate {
        lowercase => [ "EventType", "FileName", "Hostname", "Severity", "host" ]
        rename => [ "Hostname", "host" ]
        rename => [ "Message", "message" ]
    }
  }
}

The system stop to work when i add my grok filter for my fortigate firewall :

if [type] == "syslog" {
	if [host] == "10.33.2.254" {
		grok {
			patterns_dir => "/etc/logstash/patterns/"
			match => ["message","%{FORTIGATE_BASE},poluuid=%{UUID:fw_poluuid},sessionid=%{NUMBER},proto=%{WORD:fw_proto},action=%{WORD:fw_action},policyid=%{NUMBER:fw_policyid},%{FORTIGATE_COUNTRY},transip=%{IPV4:fw_transip},transport=%{NUMBER:fw_transport},service=%{QUOTEDSTRING:fw_service},%{FORTIGATE_BYTE_PKT}"]
			match => ["message","%{FORTIGATE_BASE},poluuid=%{UUID:fw_poluuid},sessionid=%{NUMBER},proto=%{WORD:fw_proto},action=%{WORD:fw_action},policyid=%{NUMBER:fw_policyid},%{FORTIGATE_COUNTRY},tranip=%{IPV4:fw_transip},tranport=%{NUMBER:fw_transport},service=%{QUOTEDSTRING:fw_service},%{FORTIGATE_BYTE_PKT}"]
			match => ["message","%{FORTIGATE_BASE},sessionid=%{NUMBER},proto=%{WORD:fw_proto},action=%{WORD:fw_action},policyid=%{NUMBER:fw_policyid},%{FORTIGATE_COUNTRY},service=%{QUOTEDSTRING:fw_service},app=%{QUOTEDSTRING:fw_app},%{FORTIGATE_BYTE_PKT}"]
			add_tag => [ "Firewall" ]
		}
	}
}

i put this block behind the esx block and i the first filter block.

When i restart my logstash service, i have no more incoming data in kibana.

How can i fix this ?

Thanks

magnusbaeck · April 15, 2016, 6:08am

Is there anything interesting in the Logstash logs? What if you increase the logging verbosity?

Jpuch · April 15, 2016, 7:57am

Hi Magnus, thanks for your reply,

After a logstash reboot with the entire conf file i got this logstash log :

{:timestamp=>"2016-04-15T09:49:38.255000+0200", :message=>"SIGTERM received. Shutting down the agent.", :level=>:warn}
{:timestamp=>"2016-04-15T09:49:38.255000+0200", :message=>"stopping pipeline", :id=>"main"}
{:timestamp=>"2016-04-15T09:49:38.385000+0200", :message=>"UDP listener died", : exception=>#<IOError: closed stream>, :backtrace=>["org/jruby/RubyIO.java:3682:in `select'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:77:in `udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:50:in `run'" , "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:342:in `inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:336:in `start_input'"],:level=>:warn}
{:timestamp=>"2016-04-15T09:49:39.647000+0200", :message=>"Pipeline main has been shutdown"}
{:timestamp=>"2016-04-15T09:49:44.927000+0200", :message=>"Pipeline aborted due to error", :exception=>#<Grok::PatternError: pattern %{HOST:hostname} not defined>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb:123:in `compile'", "org/jruby/RubyKernel.java:1479:in `loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb:93:in `compile'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:264:in `register'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:259:in `register'", "org/jruby/RubyHash.java:1342:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:255:in `register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:182:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:182:in `start_workers'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:136:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/agent.rb:465:in `start_pipeline'"], :level=>:error}
{:timestamp=>"2016-04-15T09:49:46.625000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Socket closed>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:272:in `accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/jruby-openssl-0.9.13-java/lib/jopenssl19/openssl/ssl-internal.rb:106:in `accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:112:in `run_server'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.4/lib/logstash/inputs/tcp.rb:84:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:342:in `inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:336:in `start_input'"], :level=>:error}
{:timestamp=>"2016-04-15T09:49:47.932000+0200", :message=>"stopping pipeline", :id=>"main"}

don't know why but it seem the field host is no longer recognize when i add my firewall grok pattern.

magnusbaeck · April 15, 2016, 8:05am

... Grok::PatternError: pattern %{HOST:hostname} not defined ...

Well, there's no HOST pattern in grok's standard set so unless you define that pattern in one of your own pattern files this isn't going to work. Perhaps you meant HOSTNAME?

Manuel_Ramirez · September 2, 2016, 8:30pm

I have a same problem.

Topic		Replies	Views
Can give a examplge about how logstash use udp data to es? Logstash	17	832	April 13, 2018
Problem with my logstash file '.conf' for analyse syslog from my switchs Logstash	5	335	April 26, 2023
Parsing syslog from linux rsyslog Logstash	25	7947	July 6, 2017
Logstash UDP plugin Logstash	12	919	November 22, 2017
Help needed with Logstash and syslog config Logstash	6	730	July 6, 2017

Logstash conf problem

Related topics