Logstash Java Errors

dfir · September 30, 2024, 8:16pm

HI All: Is anyone familiar with the below logstash error? I am trying to run a basic Combined apache log GROK Filter.

match => { "message" => "%{COMBINEDAPACHELOG}" }

[2024-09-30T20:13:10,962][WARN ][filewatch.readmode.handlers.readfile][main][cc8228215bb7fad837c5662d01d2f6541e2cc120f6d3612b5c8deb4ea23686e8] failed to open {:path=>"/D:/01-evidence/ABZ3604/logs/tomcat8-stderr.2023-06-12.log", :exception=>Java::JavaNioFile::InvalidPathException, :message=>"Illegal char <:> at index 2: /D:/01-evidence/ABZ3604/logs/tomcat8-stderr.2023-06-12.log", :backtrace=>["java.base/sun.nio.fs.WindowsPathParser.normalize(WindowsPathParser.java:204)", "java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:175)", "java.base/sun.nio.fs.WindowsPathParser.parse(WindowsPathParser.java:77)", "java.base/sun.nio.fs.WindowsPath.parse(WindowsPath.java:92)", "java.base/sun.nio.fs.WindowsFileSystem.getPath(WindowsFileSystem.java:231)", "org.logstash.filewatch.JrubyFileWatchLibrary$RubyFileExt.open(JrubyFileWatchLibrary.java:103)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.watched_file.RUBY$method$open$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/watched_file.rb:209)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.read_mode.handlers.base.RUBY$method$open_file$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/read_mode/handlers/base.rb:39)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.read_mode.handlers.read_file.RUBY$method$handle_specifically$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/read_mode/handlers/read_file.rb:15)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.read_mode.handlers.base.RUBY$method$handle$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/read_mode/handlers/base.rb:26)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.read_mode.processor.RUBY$method$read_file$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/read_mode/processor.rb:21)", "D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.logstash_minus_input_minus_file_minus_4_dot_4_dot_6.lib.filewatch.read_mode.processor.RUBY$block$process_active$0(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-file-4.4.6/lib/filewatch/read_mode/processor.rb:90)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:151)", "org.jruby.runtime.MixedModeIRBlockBody.yieldDirect(MixedModeIRBlockBody.java:111)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:106)", "org.jruby.runtime.Block.yield(Block.java:189)", "org.jruby.RubyArray.each(RubyArray.java:1981)", "org.jruby.RubyArray$INVOKER$i$0$0$each.call(RubyArray$INVOKER$i$0$0$each.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodZeroBlock.call(JavaMethod.java:561)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.runtime.callsite.CachingCallSite.callIter(CachingCallSite.java:103)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:545)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:76)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:164)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:151)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:212)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:456)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:195)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:346)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:88)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:238)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:225)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:228)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:476)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:293)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:324)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:201)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:188)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:220)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:466)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:244)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:314)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.Block.call(Block.java:144)", "org.jruby.RubyProc.call(RubyProc.java:354)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:111)", "java.base/java.lang.Thread.run(Thread.java:1583)"]}
[2024-09-30T20:13:11,821][DEBUG][logstash.instrument.periodicpoller.cgroup] One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu

I also am seeing this error:

2024-09-30 20:33:10,936 pool-11-thread-1 ERROR An exception occurred processing Appender plain_rolling org.jruby.exceptions.TypeError: (TypeError) no implicit conversion of Hash into String
        at org.jruby.RubyKernel.inspect(org/jruby/RubyKernel.java:2362)
        at org.jruby.RubyHash.inspect(org/jruby/RubyHash.java:953)
        at org.jruby.RubyKernel.inspect(org/jruby/RubyKernel.java:2362)
        at org.jruby.RubyKernel.inspect(org/jruby/RubyKernel.java:2362)
        at org.jruby.RubyKernel.inspect(org/jruby/RubyKernel.java:2362)
        at org.jruby.RubyKernel.inspect(org/jruby/RubyKernel.java:2362)
        at org.jruby.RubyHash.inspect(org/jruby/RubyHash.java:953)
        at org.jruby.RubyHash.to_s(org/jruby/RubyHash.java:1019)
        at org.logstash.log.LoggerExt.debug(org/logstash/log/LoggerExt.java:97)
        at D_3a_.Logstash.logstash_minus_core.lib.logstash.instrument.periodic_poller.base.update(D:/Logstash/logstash-core/lib/logstash/instrument/periodic_poller/base.rb:45)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.collection.copy_on_notify_observer_set.notify_to(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/collection/copy_on_notify_observer_set.rb:102)
        at org.jruby.RubyHash.each(org/jruby/RubyHash.java:1615)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.collection.copy_on_notify_observer_set.notify_to(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/collection/copy_on_notify_observer_set.rb:100)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.collection.copy_on_notify_observer_set.notify_observers(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/collection/copy_on_notify_observer_set.rb:64)
        at RUBY.timeout_task(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/timer_task.rb:329)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.executor.safe_task_executor.execute(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/safe_task_executor.rb:24)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.executor.safe_task_executor.execute(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/safe_task_executor.rb:19)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.ivar.safe_execute(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/ivar.rb:169)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.scheduled_task.process_task(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/scheduled_task.rb:285)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.executor.timer_set.process_tasks(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/timer_set.rb:165)
        at D_3a_.Logstash.vendor.bundle.jruby.$3_dot_1_dot_0.gems.concurrent_minus_ruby_minus_1_dot_1_dot_9.lib.concurrent_minus_ruby.concurrent.executor.java_executor_service.run(D:/Logstash/vendor/bundle/jruby/3.1.0/gems/concurrent-ruby-1.1.9/lib/concurrent-ruby/concurrent/executor/java_executor_service.rb:79)
Caused by: org.jruby.exceptions.TypeError: (TypeError) no implicit conversion of Hash into String

Badger · September 30, 2024, 8:36pm

That seems pretty clear to me. What does the configuration of your file input look like?

dfir · September 30, 2024, 8:39pm

It looks like this:

input {
  file {
    path => "D:/01-evidence/ABZ3604/logs/*"
    start_position => "beginning"
    #sincedb_path => "/dev/null"
    mode => "read"
    file_completed_action => "log"
    file_completed_log_path => "D:/logstash/logs/logstash-tomcat_logs_read.log"   
  }
}

Rios · October 1, 2024, 12:52am

Which LS version have you downloaded? logstash-8.x-windows-x86_64.zip?

There is the for. slash at the begging of the path.

dfir · October 1, 2024, 12:19pm

I am running 8.15.1. I had the / in the beginning. I discovered that the Java errors could be due to another app that was recently installed. I don't think the issue is with the logstash config.

Rios · October 1, 2024, 1:27pm

I have little doubt that another app cause issues.
The forward slash in the log, can be by mistake or from LS linux version on Windows.

Have you solved now?

dfir · October 1, 2024, 1:49pm

No. the issue remains. I keep getting the same java errors. also when I login to the server before I even start elastic I am getting Java Update Errors.

dfir · October 1, 2024, 5:26pm

OK. I have a new server and was able to get it working.

Next Problem. The grok pattern for the tomcat logs is not working.

When I run the grok debugger here are the details:

Sample Data:

192.168.41.10 - - [25/Sep/2024:00:00:01 -0500] "GET / HTTP/1.1" 200 225597

Grok Pattern:


%{IP:client_ip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:bytes}```

I see Structured Data in the below section after hitting simulate.

However:

when I enter that Grok Pattern Logstash errors out and requires me to add extra \ and changes the pattern to beL

"%{IP:client_ip} - - \\[%{HTTPDATE:timestamp}\\] \"%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} %{NUMBER:bytes}"

If I dont add the extra \ Logstash errors out. When it runs like this everything gets put into 1 column: event.original.

I suspect something is wrong with the pattern, or I need to adjust something in elasticsearch.

Who can advise how I can proceed?

dfir · October 1, 2024, 6:01pm

Ok so I was able to get the Grok pattern to work, however..

now there is a timestamp issue.

The @timestmap column is showing the ingest time and not the time from the log.

Is there an easy fix ?

dfir · October 1, 2024, 6:50pm

All good here. I created the column type mapping before ingesting

Rios · October 1, 2024, 7:14pm

You can use grok like below. It combines HTTPDUSER and HAproxy patterns, and follow ECS.

input {
  generator { 
    message =>   [ '192.168.41.10 - - [21/Sep/2024:00:00:01 -0500] "GET / HTTP/1.1" 200 225597' ]
    count => 1 } 
}
filter {
  grok { match => { "message" => '%{IPORHOST:[source][address]} (?:-|%{HTTPDUSER:[user][name]}) (?:-|%{HTTPDUSER:[user][name]}) \[%{HAPROXYDATE:[http][request_date]}\] \"(?:%{WORD:[http][request][method]} %{NOTSPACE:[url][original]}(?: HTTP/%{NUMBER:[http][version]})?|%{DATA})\" (?:-|%{INT:[http][response][status_code]:int}) (?:-|%{INT:[http][response][body][bytes]:int})' } }

  date {
    match => [ "[http][request_date]", "dd/MMM/yyyy:HH:mm:ss ZZ"] 
    target => "@timestamp"
  }
  mutate {  remove_field => ["@version", "event", "host"] }
}
output {
 stdout {codec => rubydebug}
}

dfir · October 17, 2024, 4:33pm

HI All:

I am working on another GROK pattern and hitting some snags. Here are the details:

Sample Log Line:

logver=0702071577 idseq=237867271677022888 itime=1723855010 devid="FGT60E4Q17040542" devname="central-il-cu" vd="root" date=2024-08-16 time=19:36:47 eventtime=1723855007026597042 tz="-0500" logid="0000000020" type="traffic" subtype="forward" level="notice" srcip=1.1.1.1srcport=63018 srcintf="HSwitch" srcintfrole="undefined" dstip=2.2.2.2 dstport=443 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Slack-Slack" dstcountry="United States" dstregion="1830" dstcity="Dublin" dstreputation=5 sessionid=198760625 proto=6 action="accept" policyid=1 policytype="policy" poluuid="30b62a18-cfef-51ed-c877-8881892f8c48" service="Slack-Slack" trandisp="snat" transip=3.3.3.3transport=63018 appid=43345 app="Slack" appcat="Collaboration" apprisk="elevated" applist="block-p2p" duration=15220 sentbyte=231887 rcvdbyte=326742 sentpkt=3389 rcvdpkt=2022 sentdelta=2184 rcvddelta=2287

Here is the GROK Pattern:

This Grok pattern works when I run the Grok Debugger in Elastic.

logver=%{NUMBER:log_version} idseq=%{NUMBER:idseq} itime=%{NUMBER:itime} devid="%{DATA:devid}" devname="%{DATA:devname}" vd="%{DATA:vd}" date=%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} time=%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} eventtime=%{NUMBER:eventtime} tz="%{DATA:tz}" logid="%{DATA:logid}" type="%{DATA:type}" subtype="%{DATA:subtype}" level="%{DATA:level}" srcip=%{IP:srcip} srcport=%{DATA:srcport} srcintf="%{DATA:srcintf}" srcintfrole="%{DATA:srcintfrole}" dstip=%{IP:dstip} dstport=%{DATA:dstport} dstintf="%{DATA:dstintf}" dstintfrole="%{DATA:dstintfrole}" srccountry="%{DATA:srccountry}" dstinetsvc="%{DATA:dstinetsvc}" dstcountry="%{DATA:dstcountry}" dstregion="%{DATA:dstregion}" dstcity="%{DATA:dstcity}" dstreputation=%{DATA:dstreputation} sessionid=%{DATA:sessionid} proto=%{DATA:proto} action="%{DATA:action}" policyid=%{DATA:policyid} policytype="%{DATA:policytype}" poluuid="%{DATA:poluuid}" service="%{DATA:service}" trandisp="%{DATA:trandisp}" transip=%{IP:transip} transport=%{DATA:transport} appid=%{DATA:appid} app="%{DATA:app}" appcat="%{DATA:appcat}" apprisk="%{DATA:apprisk}" applist="%{DATA:applist}" duration=%{DATA:duration} sentbyte=%{DATA:sentbyte} rcvdbyte=%{DATA:rcvdbyte} sentpkt=%{DATA:sentpkt} rcvdpkt=%{DATA:rcvdpkt} sentdelta=%{DATA:sentdelta} rcvddelta=%{DATA:rcvddelta}

This is the Error I am getting:

] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 10, column 84 (byte 218) after filter {\r\n  grok {\r\n    match => { \"message\" => \"logver=%{NUMBER:log_version}\" \"idseq=%{NUMBER:idseq}\" ", :backtrace=>[

Can someone please look and let me know what I am missing from the GROK pattern?

Thanks
Anthony

Badger · October 17, 2024, 5:20pm

Please start a new thread if you have a new question. And include the actual grok pattern you are using, because the one you show and the one in the error message do not match.