My logstash configuration is not working in the latest update of logstash it works with logstash 1.4.4 ...
The given configuration is invalid. Reason: The setting `type` in plugin `grok` is
obsolete and is no longer available. You can achieve this same behavior with the new conditionals,
like: `if [type] == "sometype" { grok { ... } }`. If you have any questions about this, you are invited to visit https://discuss.elastic.co/c/logstash and ask. {:level=>:fatal}
my configuration is as follow
input {
syslog {
type => "squid"
port => 517
}
syslog {
type => "firewall"
port => 514
codec => plain { charset => "ISO-8859-1" }
}
udp {
type => "cisco-fw"
port => 5544
}
}
filter {
grok {
type => "firewall"
break_on_match => false
match => [ "message", "%{GREEDYDATA:device}NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration:int} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent:int} rcvd=%{INT:rcvd:int} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} src-xlated ip=%{IPORHOST:src_xlated_ip} port=%{INT:src_xlated_port} dst-xlated ip=%{IPORHOST:dst_xlated_ip} port=%{INT:dst_xlated_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}",
"message", "%{GREEDYDATA:device}NetScreen device_id=%{WORD:device_id}%{DATA}: start_time=%{QUOTEDSTRING:start_time} duration=%{INT:duration:int} policy_id=%{INT:policy_id} service=%{DATA:service} proto=%{INT:proto} src zone=%{WORD:src_zone} dst zone=%{WORD:dst_zone} action=%{WORD:action} sent=%{INT:sent:int} rcvd=%{INT:rcvd:int} src=%{IPORHOST:src_ip} dst=%{IPORHOST:dst_ip} src_port=%{INT:src_port} dst_port=%{INT:dst_port} session_id=%{INT:session_id} reason=%{GREEDYDATA:reason}"]
tag_on_failure => ["parse_error_fw"]
}
grok {
type => "mma-squid"
break_on_match => false
match => ["message", "<14>%{GREEDYDATA:sdate} mmasquidproxy \(squid-1\): %{NUMBER:timestamp}\s+%{NUMBER:request_msec:float} %{IPORHOST:src_ip} %{WORD:cache_result}/%{NUMBER:response_status:int} %{NUMBER:response_size:int} %{WORD:http_method} (%{URIPROTO:http_proto}://)?%{IPORHOST:dst_host}(?::%{POSINT:port})?(?:%{URIPATHPARAM:uri_param})? %{USERNAME:cache_user} %{WORD:request_route}/(%{IPORHOST:forwarded_to}|-) %{GREEDYDATA:content_type}"]
tag_on_failure => ["parse_error_squid"]
}
grok {
tags => "cisco-fw"
patterns_dir => "/opt/logstash-1.4.1/patterns"
pattern => "^<%{POSINT:syslog_pri}>(?:(%{TIMESTAMP_ISO8601:timestamp8601} |%{CISCOTIMESTAMP:timestamp} ))?%{SYSLOGHOST:logsource}?[ :]+%{GREEDYDATA:syslog_message}"
}
syslog_pri {
tags => "cisco-fw"
}
mutate {
tags => "cisco-fw"
exclude_tags => "_grokparsefailure"
replace => [ "@source_host", "%{logsource}" ]
replace => [ "@message", "%{syslog_message}" ]
}
# for optional fields (device name in message, Cisco syslog tag)
grok {
tags => "cisco-fw"
patterns_dir => "/opt/logstash-1.4.1/patterns"
pattern => "(?:%{SYSLOGHOST:device} )?(?:: )?%%{CISCOFWTAG:ciscotag}:%{GREEDYDATA}"
}
# we extract fields
grok {
tags => "cisco-fw"
break_on_match => false
patterns_dir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-2.0.5/patterns/"
pattern => [
"%{CISCOFW1}",
"%{CISCOFW2}",
"%{CISCOFW3}",
"%{CISCOFW4}",
"%{CISCOFW4b}",
"%{CISCOFW5}",
"%{CISCOFW6a}",
"%{CISCOFW6b}",
"%{CISCOFW7}",
"%{CISCOFW8}",
"%{CISCOFW9}",
"%{CISCOFW10}",
"%{CISCOFW11}",
"%{CISCOFW12}",
"%{CISCOFW13}",
"%{CISCOFW14}",
"%{CISCOFW15}",
"%{CISCOFW16}",
"%{CISCOFW17}",
"%{CISCOFW18}"
]
}
}
### END
output {
elasticsearch {
host => "localhost"
cluster => "elasticsearch"
}
}