Logstash error

Ashwin_Patil1 · June 25, 2021, 11:04am

I have installed logstash and the following is the .conf file
input {
beat {
port => 5044
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
if [beat][hostname] == "ip-192.168.1.12"
elasticsearch {
hosts => "192.168.16.11:9200"
index => "Win_syslog-%{+YYYY.MM.dd}"
user => "elastic"
password => ""
}
else {
elasticsearch {
hosts => "192.168.16.11:9200"
index => "syslog-%{+YYYY.MM.dd}"
user => "elastic"
password => ""
}

}

When I start logstash service and run tail, I get the following error,
localhost:~ # tail /var/log/logstash/logstash-plain.log

[2021-06-25T11:29:59,952][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2021-06-25T11:29:59,978][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.13.2", "jruby.version"=>"jruby 9.2.16.0 (2.5.7) 2021-03-03 f82228dc32 OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[2021-06-25T11:30:03,223][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2021-06-25T11:30:04,965][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "and", "or", "xor", "nand", "{" at line 23, column 3 (byte 552) after output {\n\tif [beat][hostname] == "ip-192.168.1.12"\n\t\t", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in block in converge_state'"]}
[2021-06-25T11:30:05,179][INFO ][logstash.runner ] Logstash shut down.
[2021-06-25T11:30:05,197][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.16.0.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.16.0.jar:?]
at usr.share.logstash.lib.bootstrap.environment.(/usr/share/logstash/lib/bootstrap/environment.rb:89) ~[?:?]

Betorov · June 25, 2021, 12:29pm

Try this:

output:

output {
if [beat][hostname] == "ip-192.168.1.12"
      {
elasticsearch {
hosts => "192.168.16.11:9200"
index => "Win_syslog-%{+YYYY.MM.dd}"
user => "elastic"
password => ""
}
}
else {
elasticsearch {
hosts => "192.168.16.11:9200"
index => "syslog-%{+YYYY.MM.dd}"
user => "elastic"
password => ""
}

	}
}

Ashwin_Patil1 · June 25, 2021, 3:42pm

thank you

system · July 23, 2021, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.