Logstash configuration error when using filter


(venkat) #1

Hi,
I have installed logstash 6.2 and with the following configuration i am not able to start the logstash. I am getting error at the filter configuration, but i tried to change it and getting the same result. Can anyone help me with this.

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}

filter {
if [type] == "cq-access"{
grok {
match => [ "message", "%{IPORHOST:clientip} - %{USER:ident} %{HTTPDATE:timestamp} %{QS}" ]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "logstash_admin"
password => "Logstashpassword"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Error:

[2018-06-07T14:10:24,390][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}

[2018-06-07T14:10:24,414][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x15df503e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 sleep>"}

[2018-06-07T14:10:24,432][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 10, column 8 (byte 213) after input { \n\tbeats {\n \t\tport => 5044\n \t\tssl => true\n \t\tssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"\n \t\tssl_key => "/etc/pki/tls/private/logstash-forwarder.key"\n \t }\t\t\t\n\nfilter {\n\t\tgrok ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'",


#2

You have a } to close the beats input, but you are missing a } to close the input section. It should be

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {

(venkat) #3

thank you!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.