Logstash error after upgrade to 2.3.4

tbernhardson · July 11, 2016, 9:41pm

I just rebuilt my test & dev ELK box on new hardware, after the install (which upgraded Logstash from 2.2.3 to 2.3.4) logstash now gets a "RegexpError: Undefined group option" with the config file that worked fine before the upgrade.

Config File:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timest
amp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pi
d}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM
dd HH:mm:ss" ]
}
}
json {
source => "message"
}
}

Full Error Message:
{:timestamp=>"2016-07-08T15:24:17.360000-0700", :message=>"Pipeline aborted due
to error", :exception=>#<RegexpError: undefined group option: /(?(?:\b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|????)?r(?:c
h|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?
:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b) +(?:(?:(?:0[1-9])|(?:[12]
[0-9])|(?:3[01])|[1-9])) (?:(?!<[0-9])(?:(?:2[0123]|[01]?[0-9])):(?:(?:[0-5][0-9
]))(?::(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))(?![0-9]))) (?<SYSLOGHOST:sysl
og_hostname>(?:(?:(?:(?:(?:((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A
-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]
|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){
1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3
})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:
((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))
|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((
25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(
([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25
[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([
0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0
-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((
:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9
]?\d)(.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?)|(?:(?<![0-9])(?:(?:[
0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]).
.[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[
0-5]))(?![0-9]))))|(?:\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:.(?:[0-9A-Za-z][0-9
A-Za-z-]{0,62}))(.?|\b))))) (?<DATA:syslog_prograqm>.?)(?[(?<POSINT:syslog_p
id>\b(?:[1-9][0-9])\b)])?: (?GREEDYDATA:syslog_message.)/m>, :backtrace=>["
org/jruby/RubyRegexp.java:1434:in initialize'", "/opt/logstash/vendor/bundle/jr uby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb:127:incompile'", "/opt/logstash/
vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/gro
k.rb:264:in register'", "org/jruby/RubyArray.java:1613:ineach'", "/opt/logsta
sh/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/
grok.rb:259:in register'", "org/jruby/RubyHash.java:1342:ineach'", "/opt/logs
tash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filter
s/grok.rb:255:in register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logsta sh-core-2.3.4-java/lib/logstash/pipeline.rb:182:instart_workers'", "org/jruby/
RubyArray.java:1613:in each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logs tash-core-2.3.4-java/lib/logstash/pipeline.rb:182:instart_workers'", "/opt/log
stash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipelin
e.rb:136:in run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2. 3.4-java/lib/logstash/agent.rb:473:instart_pipeline'"], :level=>:error}
{:timestamp=>"2016-07-08T15:24:20.370000-0700", :message=>"stopping pipeline", :
id=>"main"}

I did search around (and looked through the various Logstash Release Notes), but havn't been able to find anything.

Any help to get this working would be great.

suyograo · July 11, 2016, 11:37pm

@tbernhardson can you paste the sample log line so we can test it?

tbernhardson · July 12, 2016, 3:52pm

Sure, but I will need some help in figuring out how to log the input into logstash. I tried using --debug but if the input is in the file it is not easy to find.

tbernhardson · July 13, 2016, 10:17pm

Found the problem. I had assumed that logstash did like other packages that use .conf files and ignored any files in the conf.d directory that did not end in .conf. It turns out that logstash reads all the files in conf.d no matter what their name is. This caused a problem because I have a standard that prior to making a change I make a copy of the file with an extension of YYMMDD (I.E. 10-syslog-filter.conf.20160711). So logstash was not only reading the correct files, but also the previous ones with other settings, etc.

Once I moved the backup files out of the conf.d directory, logstash stopped giving the error.