Logstash configuration file error

For the life of me I cannot figure out why my logstash.conf file is wrong.

input{
	tcp{
		host => "127.0.0.1"
		port => 514 
	}
	udp{
		host => "127.0.0.1"
		port => 514 
	}
}
filter{
		grok{
			match => { “message” => [
												    “<%{INT:severity}>%{SYSLOGTIMESTAMP:datestamp} %{HOSTNAME:hostName} %{WORD:processName}: \[%{SYSLOGPROG:fileName}](\[%{INT:lineNumber}]:)? %{GREEDYDATA:logMessage}”,
												    “<%{INT:severity}>%{SYSLOGTIMESTAMP:datestamp} %{SYSLOGHOST:hostName} %{SYSLOGPROG:syslog_program}((\[|-)%{POSINT:syslog_pid}(\])?)?: %{GREEDYDATA:syslog_message}”,
												    “<%{INT:severity}>%{SYSLOGTIMESTAMP:datestamp} %{HOSTNAME:hostName} %{WORD:processName}: %{GREEDYDATA:logMessage}”
												  ]
			}
		}    	
}
output{
	if “_grokparsefailure” not in [tags]{
		elasticsearch{
		index => “sys-”
		document_type => “syslog”
		hosts => [“http://127.0.0.1:9200”] #x.x.x.x is IP address of server
		}
	}
	else{
		file{
			path => “${HOME}/profiles/CDR/ELK/syslog_fails.txt”
		}
	}
}

It says the error is:

"Expected one of #, -, ", ', } at line 13, column 15 (byte 132) after filter{\n\t\tgrok{\n\t\t\tmatch => { "

It looks like Logstash doesn't like the quotation marks used in a few parts of your config:"“"/"”" vs """

Find and replace all instances of "“"/"”" with """ and that should get you past this first hurdle.

Edited hoping formatting changes will help make the subtleties more obvious.

Thanks for the quick reply. I didn't even notice that. Unsure of how that happened. Changed all instances and it worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.