Logstash input jdbc :unknown error:

Olatunde_Tokun · June 5, 2018, 5:47pm

Hey,

I use multi pipeline to ingest logs from a database using jdbc driver. It works great, but every once (once in 2 hours) in a while I see errors from the jdbc input plugin.

There are no missing events because it uses a timebased sql_last_value, but im curious to know why there are these errors and how it can be resolved.

[2018-06-05T12:34:02,702][ERROR][logstash.inputs.jdbc     ] Java::JavaSql::SQLException: unknown error: SELECT client_application_id, client_application_name, FROM_UNIXTIME(connection_sec), HEX(dst_ipaddr) as dst, dst_port, event_id, FROM_UNIXTIME(event_time_sec) as rt, impact, interface_egress_name, interface_ingress_name, protocol_name, protocol_num, priority, rule_classification, rule_classification_id, rule_message as name, rule_signature_id, rule_generator_id, security_zone_egress_name, security_zone_ingress_name, sensor_name, sensor_address, HEX(src_ipaddr) as src, src_port, src_user_name, vlan_id FROM table WHERE FROM_UNIXTIME(connection_sec)>'2018-06-05 16:33:01.814906'

The input config file is below:
input {
jdbc {
jdbc_connection_string => "jdbc:vjdbc:rmi://server:port/VJdbc,eqe"
jdbc_validate_connection => false
jdbc_driver_library => "/usr/share/logstash/logstash-core/lib/jars/vjdbc.jar,/usr/share/logstash/logstash-core/lib/jars/commons-logging-1.1.jar"
jdbc_driver_class => "com.technology.vjdbc.VirtualDriver"
jdbc_default_timezone => "Etc/UTC"
schedule => "* * * * *"
clean_run => false
last_run_metadata_path => "/usr/share/logstash/config/.lastrun_intrusion"
add_field => { "source" => "tablename" }
tracking_column_type => "timestamp"
statement => "SELECT client_application_id, client_application_name, FROM_UNIXTIME(connection_sec), HEX(dst_ipaddr) as dst, dst_port, event_id, FROM_UNIXTIME(event_time_sec) as rt, impact, interface_egress_name, interface_ingress_name, protocol_name, protocol_num, priority, rule_classification, rule_classification_id, rule_message as name, rule_signature_id, rule_generator_id, security_zone_egress_name, security_zone_ingress_name, sensor_name, sensor_address, HEX(src_ipaddr) as src, src_port, src_user_name, vlan_id FROM table WHERE FROM_UNIXTIME(connection_sec)>:sql_last_value"
}
}

Thanks in advance.

Olatunde_Tokun · June 5, 2018, 8:06pm

Below is running LS in debug mode. Though not sure how Im supposed to fix this. Is this happening because LS is trying to count the amount of rows to be added? Any ideas or pointers would be appreciated.

[DEBUG MODE]

[2018-06-05T15:59:02,781][ERROR][logstash.inputs.jdbc ] Java::JavaSql::SQLException: parse error: unexpected keyword [SELECT]: SELECT count(*) AS "COUNT" FROM (SELECT application_name, client_application_id, client_application_name, FROM_UNIXTIME(connection_sec), detection_name, detector_type, direction, disposition, domain_name, HEX(dst_ipaddr) as dst, dst_port, event_description, event_id, event_type, file_name, file_path, file_sha, file_size, file_timestamp, file_type, http_response_code,score/100 as severity, sensor_name as dvchost, HEX(src_ipaddr) as src, src_port, threat_name, timestamp as rt, url, username FROM table1 WHERE FROM_UNIXTIME(connection_sec)>'2018-06-05 19:48:01.625947') AS "T1" LIMIT 1

[2018-06-05T15:59:02,795][WARN ][logstash.inputs.jdbc ] Exception when executing JDBC query {:exception=>#<Sequel::DatabaseError: Java::JavaSql::SQLException: parse error: unexpected keyword [SELECT]>}
[2018-06-05T15:59:02,987][ERROR][logstash.inputs.jdbc ] Java::JavaSql::SQLException: parse error: unexpected keyword [SELECT]: SELECT count(*) AS "COUNT" FROM (SELECT action, application_id, application_name, FROM_UNIXTIME(connection_sec), client_application_name, direction, disposition, domain_name, HEX(dst_ipaddr) as dst, dst_port, event_description, file_name, file_sha, file_size, file_type, file_type_id, file_type_category, http_response_code, sensor_id, sandboxed, score/10 as severity, HEX(src_ipaddr) as src, src_port, sensor_address as dvc, sensor_name, threat_name, policy_uuid, url, username, user_id FROM table2 WHERE FROM_UNIXTIME(connection_sec)>'2018-06-05 19:48:01.642526') AS "T1" LIMIT 1

[2018-06-05T15:59:02,992][ERROR][logstash.inputs.jdbc ] Java::JavaSql::SQLException: parse error: unexpected keyword [SELECT]: SELECT count(*) AS "COUNT" FROM (SELECT access_control_policy_name, access_control_rule_name, application_protocol_name, blocked, client_application_id, client_application_name, FROM_UNIXTIME(connection_sec), HEX(dst_ipaddr) as dst, dst_port, event_id, FROM_UNIXTIME(event_time_sec) as rt, impact, interface_egress_name, interface_ingress_name, protocol_name, protocol_num, priority, rule_classification, rule_classification_id, rule_message as name, rule_signature_id, rule_generator_id, security_zone_egress_name, security_zone_ingress_name, sensor_name, sensor_address, HEX(src_ipaddr) as src, src_port, src_user_name, vlan_id FROM table3 WHERE FROM_UNIXTIME(connection_sec)>'2018-06-05 19:48:01.580091') AS "T1" LIMIT 1

system · July 3, 2018, 8:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JDBC Logstash Plugin issue Logstash	2	249	September 30, 2021
Error input jdbc Logstash	4	1192	July 6, 2017
Error on Logstash pipeline Logstash	2	247	September 26, 2020
Multiple JDBC Inputs in Single Logstash Config File - Unknown Error Logstash	7	8029	September 19, 2017
Logstash 6.6.0 jdbc_input plugin crashing during timezone conversion Logstash	2	1001	March 1, 2019

Logstash input jdbc :unknown error:

Related topics