Logstash Configuration Error with BlueLiv


#1

Hi there-

I'm pretty new to the ELK stack and have been tasked with using ELK Stack and BlueLiv Threat Intelligence Community. I have my basic setup configured for all ELK components, they start and what not however when I attempt to use my configuration for the BlueLiv community, I get the following error in my /var/log/logstash/logstash-plain.log file, error:
[2016-11-08T13:49:51,483][ERROR][logstash.agent ] fetched an invalid config {:config=>"input { \n blueliv {\n api_url => "https://freeapi.blueliv.com" \n http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "b$

My configuration follows the documentation at https://github.com/Blueliv/ with my .conf file configured like so:
input {
blueliv {
api_url => "https://freeapi.blueliv.com"
http_timeout => 1000
api_key => "KEYREMOVED"
feeds => {
"botips" => {
"active" => true
"feed_type" => "non_pos"
}
"crimeservers" => {
"active" => true
"feed_type" => "all"
}
}
}
}
output {
elasticsearch { hosts => "localhost"
index => "blueliv-%{@collection}"
manage_template => false
document_id => "%{_id}"
}
}

Not really sure what the issue is, I thought maybe I had an extra } in place but I tried to match every bracket together and didn't notice any out of place. Anything you can provide to help out would be most appreciated!! I just can't seem to figure out what's the issue here. If it helps, the URL from BlueLIv to setup ELK stack is available at: https://github.com/Blueliv/elk-config-examples/blob/master/documentation.pdf

Just in case, I was able to install the BlueLiv plugin for LogStash, no problem.


(andrewvc) #2

Can you post the full error message? The one you're posting looks like it has the end cut off.

Also, did you make sure to install the bluliv plugin?


#3

Andrew,

Thank you so much for replying and the help. I was able to install the blueliv plugin. My apologies for the error message being cutoff. Here is the full error message.
[2016-11-08T13:51:39,908][ERROR][logstash.agent ] fetched an invalid config {:config=>"input { \n blueliv {\n api_url => "https://freeapi.blueliv.com" \n
http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "botips" => {\n "active" => "true"\n "feed_type" => 'non_
pos"\n } \n "crimeservers" => {\n "active" => "true" \n "feed_type" => "recent"\n }\n }\n }\n}\n\n output {\n elasticsearch {hosts => ["
localhost"] index => "blueliv-%{@collection}" \nmanage_template => false document_id => "%{document_id}"}}\n\ninput { blueliv { api_url => "https://freeapi.blueliv
.com" http_timeout => 1000 api_key => "KEYREMOVED" feeds => { "botips" => { "active" => true "feed_type" => "non_pos" } "crimeserve
rs" => {"active" => true "feed_type" => "all" }}}} \noutput { elasticsearch {hosts => "localhost" index => "blueliv-%{@collection}" manage_template => false d
ocument_id => "%{_id}"}\n\n", :reason=>"Expected one of \', ', any character at line 26, column 1 (byte 867) after input { \n blueliv {\n api_url => "https://freea
pi.blueliv.com" \n http_timeout => 1000 \n api_key => "KEYREMOVED"\n feeds => {\n "botips" => {\n "active" => "true"\n
"feed_type" => 'non_pos"\n } \n "crimeservers" => {\n "active" => "true" \n "feed_type" => "recent"\n }\n }\n }\n}\n\n output {\n elasti
csearch {hosts => ["localhost"] index => "blueliv-%{@collection}" \nmanage_template => false document_id => "%{document_id}"}}\n\ninput { blueliv { api_url => "ht
tps://freeapi.blueliv.com" http_timeout => 1000 api_key => "KEYREMOVED" feeds => { "botips" => { "active" => true "feed_type" => "non
_pos" } "crimeservers" => {"active" => true "feed_type" => "all" }}}} \noutput { elasticsearch {hosts => "localhost" index => "blueliv-%{@collection}" manag
e_template => false document_id => "%{_id}"}\n\n"}


(Mark Walkom) #4

You should check that line.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.