Logstash Error Failed to Execute action

Elastic Stack Logstash
1

Team,

I've lost all my hair... For whatever reason, I can't figure this out.

[2022-09-23T15:09:46,265][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 1, column 1 (byte 1)", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:210:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:909:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:381:in `block in converge_state'"]}
[2022-09-23T15:09:46,348][INFO ][logstash.runner ] Logstash shut down.
[2022-09-23T15:09:46,356][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:790) ~[jruby.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:753) ~[jruby.jar:?]
at usr.share.logstash.lib.bootstrap.environment.(/usr/share/logstash/lib/bootstrap/environment.rb:91) ~[?:?]

Here is a copy of my logstash.conf...

input {
      tcp {
        host => "10.141.0.172"
        port => 5045
      }
    }
# filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      }
      date {
        match => [ "received_from", "%{host}" ]
        }
     }
   }
output {
  elasticsearch {
    hosts => ["https://10.141.0.170:9200"]
  }
 }

Any help growing my hair back would be beneficial!!!

2

Also if I add the if syslog or remove the if syslog still the same error. However, I did remove the if syslog since I don't have a type => syslog statement.

3

Are you setting path.config (either in logstash.yml, pipelines.yml, or on the command line using -f). If so, what value are you setting?

4

Is this a typo or the filter { is commented?

Also, the error is here:

You need to check if your config is correct.

You need a input block, filter block and output block.

Validate your config and if all the block have the correct opening {and closing }, the configuration you shared is wrong because you are not opening the filter block, it is commented.

7 
input {
  tcp {
    host => "10.141.0.172"
    port => 5045
  }

}
filter {
  grok {
    match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
    add_field => [ "received_at", "%{@timestamp}" ]
    add_field => [ "received_from", "%{host}" ]
  }
    date {
      match => [ "received_from", "%{host}" ]
    }

}
output {
        elasticsearch {
          hosts => ["https://10.141.0.170:9200"]
       }
       stdout {
       }
}
~
8

Pipelines:

  • pipeline.id: main
    path.config: "/etc/logstash/conf.d/*.conf"

syslog.conf is located in /etc/logstash/conf.d/

Logstash.yml
Data Path:
path.data: /var/lib/logstash

log.level: info

path.logs: /var/log/logstash

9

I suspect that path.config is picking up another file and that the unwanted file does not look like a logstash configuration. Try changing that to specify the single file you want.

10

Ok so there were two things. I did have to specify the .conf file in the path.config. However, I also had to specify the cert and user creds in the conf file for the elasticsearch output.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.