I just rebuilt my test & dev ELK box on new hardware, after the install (which upgraded Logstash from 2.2.3 to 2.3.4) logstash now gets a "RegexpError: Undefined group option" with the config file that worked fine before the upgrade.
Config File:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timest
amp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pi
d}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM
dd HH:mm:ss" ]
}
}
json {
source => "message"
}
}
Full Error Message:
{:timestamp=>"2016-07-08T15:24:17.360000-0700", :message=>"Pipeline aborted due
to error", :exception=>#<RegexpError: undefined group option: /(?(?:\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|????)?r(?:c
h|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?
:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b) +(?:(?:(?:0[1-9])|(?:[12]
[0-9])|(?:3[01])|[1-9])) (?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9
]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9]))) (?<SYSLOGHOST:sysl
og_hostname>(?:(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A
-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]
|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){
1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3
})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:
((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))
|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((
25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(
([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25
[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([
0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0
-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((
:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9
]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[
0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]).
.[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[
0-5]))(?![0-9]))))|(?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:.(?:[0-9A-Za-z][0-9
A-Za-z-]{0,62}))(.?|\b))))) (?<DATA:syslog_prograqm>.?)(?[(?<POSINT:syslog_p
id>\b(?:[1-9][0-9])\b)])?: (?GREEDYDATA:syslog_message.)/m>, :backtrace=>["
org/jruby/RubyRegexp.java:1434:in initialize'", "/opt/logstash/vendor/bundle/jr uby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb:127:in
compile'", "/opt/logstash/
vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/gro
k.rb:264:in register'", "org/jruby/RubyArray.java:1613:in
each'", "/opt/logsta
sh/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/
grok.rb:259:in register'", "org/jruby/RubyHash.java:1342:in
each'", "/opt/logs
tash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filter
s/grok.rb:255:in register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logsta sh-core-2.3.4-java/lib/logstash/pipeline.rb:182:in
start_workers'", "org/jruby/
RubyArray.java:1613:in each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logs tash-core-2.3.4-java/lib/logstash/pipeline.rb:182:in
start_workers'", "/opt/log
stash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipelin
e.rb:136:in run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2. 3.4-java/lib/logstash/agent.rb:473:in
start_pipeline'"], :level=>:error}
{:timestamp=>"2016-07-08T15:24:20.370000-0700", :message=>"stopping pipeline", :
id=>"main"}
I did search around (and looked through the various Logstash Release Notes), but havn't been able to find anything.
Any help to get this working would be great.