Logstash config file error

varun1992 · August 13, 2017, 2:23pm

I got an error like below when indexing in logstash

Log file model is

date=2017-01-24 time=07:24:24 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.110 srcport=60846 srcintf="internal" dstip=72.21.91.29 dstport=80 dstintf="wan1" poluuid=b7f14824-e247-51e6-fc2c-b25329293b13 sessionid=1226 proto=6 action=close policyid=1 policytype=policy dstcountry="United States" srccountry="Reserved" trandisp=snat transip=192.168.254.50 transport=60846 service="HTTP" duration=20 sentbyte=186 rcvdbyte=146 sentpkt=4 rcvdpkt=3 appcat="unscanned"

Config file as below

input {
file {
type => "fortynet"
path => "C:/ElasticProducts/FortiNet.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

grok {
match => [ "message", "date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} time=%{TIME:time} logid=%{NUMBER:logid} type=%{WORD:type} subtype=%{WORD:subtype} level=%{WORD:level} vd=%{WORD:vd} srcip=%{IP:src-ip} srcport=%{NUMBER:src-port} srcintf=%{QUOTEDSTRING:src-intf} dstip=%{IP:dst-ip} dstport=%{NUMBER:dst-port} dstintf=%{QUOTEDSTRING:dst-intf} poluuid=%{NOTSPACE:poluuid} sessionid=%{NUMBER:sessionid} proto=%{NUMBER:proto} action=%{WORD:action} policyid=%{NUMBER:policyid} policytype=%{WORD:policytype} dstcountry=%{QUOTEDSTRING:dst-country} srccountry=%{QUOTEDSTRING:src-country} trandisp=%{WORD:trandisp} transip=%{IP:trans-ip} transport=%{NUMBER:trans-port} service=%{QUOTEDSTRING:service} duration=%{NUMBER:duration} sentbyte=%{NUMBER:sentbyte} rcvdbyte=%{NUMBER:rcvdbyte} sentpkt=%{NUMBER:sentpkt} rcvdpkt=%{NUMBER:rcvdpkt} appcat=%{QUOTEDSTRING:appcat}" ]
}

mutate {
add_field => {
"timestamp" => "%{year}-%{month}-%{day} %{time}"
}
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
index => "fortynet"
#template => "C:\ElasticProducts\fortynet.json"
document_id => "%{logid}"
document_type => "fortynet"
template_overwrite => true
}

stdout {
debug => true debug_format => "json"
codec => rubydebug
}
}

magnusbaeck · August 13, 2017, 6:33pm

You need to wrap your filters (grok, mutate, and date) in a filter { ... } block.

Unrelated to that you should look into using a kv filter to parse the key/value pairs in your message.

system · September 10, 2017, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.