Hi,
I cannot get logstash to output exchange 2013 tracking logs properly. Can anyone help?
Logstash Config:
input {
beats {
port => 5044
type => "ex_msg_trk"
}
}
filter {
if [type] == "ex_msg_trk" {
grok {
match => { "message" => "(%{TIMESTAMP_ISO8601:date-time})?,(%{IPORHOST:client-ip})?,(%{IPORHOST:client-hostname})?,(%{IPORHOST:server-ip})?,(%{IPORHOST:server-hostname})?,(%{GREEDYDATA:source-context})?,(%{GREEDYDATA:connector-id})?$
}
mutate {
convert => [ "total-bytes", "integer" ]
convert => [ "recipient-count", "integer" ]
split => ["recipient-address", ";"]
split => [ "source-context", ";" ]
split => [ "custom_data", ";" ]
}
}
}
output {
if [type] == "ex_msg_trk" {
elasticsearch {
hosts => elastic1:9201
index => "logstash_exch-%{+YYYY.MM.dd}"
}
}
}
Logstash Error:
[2018-08-22T15:28:59,381][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 30, column 23 (byte 1265) after output {\n if [type] == "ex_msg_trk" {\n elasticsearch {\n hosts => elastic1", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:49:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:167:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:305:in `block in converge_state'"]}
[2018-08-22T15:29:00,120][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
Cheers,