Logstash Configuration Error

ViJaY_S · June 14, 2017, 5:42pm

Hello,

Could you please help to fix the logstash configuration error, I see the below error while running configuration test.

Due to this issue importing new logs to ELK server is stopped,

Sending logstash logs to /var/log/logstash/logstash.log.
Error: Expected one of #, input, filter, output at line 229, column 1 (byte 4803) after
You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.

logstash is not running

Please find the attached Logstash configuration file.

ViJaY_S · June 14, 2017, 7:04pm

<

Logstash Configuration file -Here you go.

filter {
grok {

match => {
	'message' => '\A%{TIMESTAMP_ISO8601:DateTime}%{SPACE}%{URIPATHPARAM:URI}%{SPACE}%{INT:Status}%{SPACE}%{QUOTEDSTRING:ComputerName}%{SPACE}%{QUOTEDSTRING:Referer}%{SPACE}%{INT:Win32Status}%{SPACE}%{NUMBER:BytesSent}%{SPACE}%{NUMBER:BytesReceived}%{SPACE}%{QUOTEDSTRING:UserAgent}%{SPACE}%{IP:ServerIP}%{SPACE}%{INT:ServerPort}%{SPACE}%{QUOTEDSTRING:Protocol}%{SPACE}%{PROG:Method}%{SPACE}%{IP:ClientIP}%{SPACE}%{NUMBER:TimeTaken}%{SPACE}%{NUMBER:RequestPerSecond}%{SPACE}%{HOSTNAME:WebSiteName}%{SPACE}%{GREEDYDATA:QRY}'

}

}

The timestamp may have commas instead of dots. Convert so as to store everything in the same way

mutate {
	gsub => [
            # replace all commas with dots
            "DateTime", ",", "."
	        "DateTime", " ", ";"
			"ComputerName", "\"", ""
			"Referer", "\"", ""
			"Protocol", "\"", ""
	]
		}

#mutate {
#	gsub => [
        # make the logTimestamp sortable. With a space, it is not! This does not work that well, in the end

        # but somehow apparently makes things easier for the date filter

"DateTime", " ", ";"

	#]
#}

User Agent

useragent { 
	add_tag => [ "UA" ] 
	source => "UserAgent" 
} 

date {

	locale => "en"
	match => ["DateTime", "YYYY-MM-dd;HH:mm:ss.SSS"]
	target => "@timestamp"
}

if [type] == "IISlogs" { 
	if [UserAgent] != "-" and [UserAgent] != "" { 
		useragent { 
		add_tag => [ "UA" ] 
		source => "UserAgent" 
		} 
	} 

	if "UA" in [tags] { 
		if [device] == "Other" { mutate { remove_field => "device" } } 
		if [name]   == "Other" { mutate { remove_field => "name" } } 
		if [os]     == "Other" { mutate { remove_field => "os" } } 
	}
}

geoip {
	source => "ClientIP"
	target => "geoip"
	database =>"/etc/logstash/GeoLiteCity.dat"
	add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
	add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
} 

mutate {
	convert => [ "[geoip][coordinates]", "float" ]
	convert => [ "BytesSent", "integer" ]
	convert => [ "BytesReceived", "integer" ]
	convert => [ "RequestsPerSecond", "integer" ]
}

}

warkolm · June 15, 2017, 1:04am

Can you please reformat your config using the code button - </> - to make it easier to read.

system · July 13, 2017, 1:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.