Hi,
I have installed logstash 6.2 and with the following configuration i am not able to start the logstash. I am getting error at the filter configuration, but i tried to change it and getting the same result. Can anyone help me with this.
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
filter {
if [type] == "cq-access"{
grok {
match => [ "message", "%{IPORHOST:clientip} - %{USER:ident} %{HTTPDATE:timestamp} %{QS}" ]
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
user => "logstash_admin"
password => "Logstashpassword"
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Error:
[2018-06-07T14:10:24,390][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-06-07T14:10:24,414][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>".monitoring-logstash", :thread=>"#<Thread:0x15df503e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 sleep>"}
[2018-06-07T14:10:24,432][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 10, column 8 (byte 213) after input { \n\tbeats {\n \t\tport => 5044\n \t\tssl => true\n \t\tssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"\n \t\tssl_key => "/etc/pki/tls/private/logstash-forwarder.key"\n \t }\t\t\t\n\nfilter {\n\t\tgrok ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'",