Logstash Error Failed to Execute action

Team,

I've lost all my hair... For whatever reason, I can't figure this out.

[2022-09-23T15:09:46,265][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 1, column 1 (byte 1)", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:210:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:909:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:381:in `block in converge_state'"]}
[2022-09-23T15:09:46,348][INFO ][logstash.runner ] Logstash shut down.
[2022-09-23T15:09:46,356][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:790) ~[jruby.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:753) ~[jruby.jar:?]
at usr.share.logstash.lib.bootstrap.environment.(/usr/share/logstash/lib/bootstrap/environment.rb:91) ~[?:?]

Here is a copy of my logstash.conf...

input {
      tcp {
        host => "10.141.0.172"
        port => 5045
      }
    }
# filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      }
      date {
        match => [ "received_from", "%{host}" ]
        }
     }
   }
output {
  elasticsearch {
    hosts => ["https://10.141.0.170:9200"]
  }
 }

Any help growing my hair back would be beneficial!!!

Also if I add the if syslog or remove the if syslog still the same error. However, I did remove the if syslog since I don't have a type => syslog statement.

Are you setting path.config (either in logstash.yml, pipelines.yml, or on the command line using -f). If so, what value are you setting?

Is this a typo or the filter { is commented?

Also, the error is here:

You need to check if your config is correct.

You need a input block, filter block and output block.

Validate your config and if all the block have the correct opening {and closing }, the configuration you shared is wrong because you are not opening the filter block, it is commented.

input {
  tcp {
    host => "10.141.0.172"
    port => 5045
  }

}
filter {
  grok {
    match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
    add_field => [ "received_at", "%{@timestamp}" ]
    add_field => [ "received_from", "%{host}" ]
  }
    date {
      match => [ "received_from", "%{host}" ]
    }

}
output {
        elasticsearch {
          hosts => ["https://10.141.0.170:9200"]
       }
       stdout {
       }
}
~

Pipelines:

  • pipeline.id: main
    path.config: "/etc/logstash/conf.d/*.conf"

syslog.conf is located in /etc/logstash/conf.d/

Logstash.yml
Data Path:
path.data: /var/lib/logstash

log.level: info

path.logs: /var/log/logstash

I suspect that path.config is picking up another file and that the unwanted file does not look like a logstash configuration. Try changing that to specify the single file you want.

Ok so there were two things. I did have to specify the .conf file in the path.config. However, I also had to specify the cert and user creds in the conf file for the elasticsearch output.