Logstash Configuration Error with BlueLiv

ossec.junkie · November 8, 2016, 10:37pm

Hi there-

I'm pretty new to the ELK stack and have been tasked with using ELK Stack and BlueLiv Threat Intelligence Community. I have my basic setup configured for all ELK components, they start and what not however when I attempt to use my configuration for the BlueLiv community, I get the following error in my /var/log/logstash/logstash-plain.log file, error:
[2016-11-08T13:49:51,483][ERROR][logstash.agent ] fetched an invalid config {:config=>"input { \n blueliv {\n api_url => "https://freeapi.blueliv.com" \n http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "b$

My configuration follows the documentation at https://github.com/Blueliv/ with my .conf file configured like so:
input {
blueliv {
api_url => "https://freeapi.blueliv.com"
http_timeout => 1000
api_key => "KEYREMOVED"
feeds => {
"botips" => {
"active" => true
"feed_type" => "non_pos"
}
"crimeservers" => {
"active" => true
"feed_type" => "all"
}
}
}
}
output {
elasticsearch { hosts => "localhost"
index => "blueliv-%{@collection}"
manage_template => false
document_id => "%{_id}"
}
}

Not really sure what the issue is, I thought maybe I had an extra } in place but I tried to match every bracket together and didn't notice any out of place. Anything you can provide to help out would be most appreciated!! I just can't seem to figure out what's the issue here. If it helps, the URL from BlueLIv to setup ELK stack is available at: https://github.com/Blueliv/elk-config-examples/blob/master/documentation.pdf

Just in case, I was able to install the BlueLiv plugin for LogStash, no problem.

andrewvc · November 8, 2016, 10:48pm

Can you post the full error message? The one you're posting looks like it has the end cut off.

Also, did you make sure to install the bluliv plugin?

ossec.junkie · November 8, 2016, 11:15pm

Andrew,

Thank you so much for replying and the help. I was able to install the blueliv plugin. My apologies for the error message being cutoff. Here is the full error message.
[2016-11-08T13:51:39,908][ERROR][logstash.agent ] fetched an invalid config {:config=>"input { \n blueliv {\n api_url => "https://freeapi.blueliv.com" \n
http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "botips" => {\n "active" => "true"\n "feed_type" => 'non_
pos"\n } \n "crimeservers" => {\n "active" => "true" \n "feed_type" => "recent"\n }\n }\n }\n}\n\n output {\n elasticsearch {hosts => ["
localhost"] index => "blueliv-%{@collection}" \nmanage_template => false document_id => "%{document_id}"}}\n\ninput { blueliv { api_url => "https://freeapi.blueliv
.com" http_timeout => 1000 api_key => "KEYREMOVED" feeds => { "botips" => { "active" => true "feed_type" => "non_pos" } "crimeserve
rs" => {"active" => true "feed_type" => "all" }}}} \noutput { elasticsearch {hosts => "localhost" index => "blueliv-%{@collection}" manage_template => false d
ocument_id => "%{_id}"}\n\n", :reason=>"Expected one of \', ', any character at line 26, column 1 (byte 867) after input { \n blueliv {\n api_url => "https://freea
pi.blueliv.com" \n http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "botips" => {\n "active" => "true"\n
"feed_type" => 'non_pos"\n } \n "crimeservers" => {\n "active" => "true" \n "feed_type" => "recent"\n }\n }\n }\n}\n\n output {\n elasti
csearch {hosts => ["localhost"] index => "blueliv-%{@collection}" \nmanage_template => false document_id => "%{document_id}"}}\n\ninput { blueliv { api_url => "ht
tps://freeapi.blueliv.com" http_timeout => 1000 api_key => "KEYREMOVED" feeds => { "botips" => { "active" => true "feed_type" => "non
_pos" } "crimeservers" => {"active" => true "feed_type" => "all" }}}} \noutput { elasticsearch {hosts => "localhost" index => "blueliv-%{@collection}" manag
e_template => false document_id => "%{_id}"}\n\n"}

warkolm · November 9, 2016, 12:44am

You should check that line.

system · December 7, 2016, 12:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.