Logstash::ConfigurationError:message=>"Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 3, column 1 (byte 3) after \n\n"

Varun_Saraf · February 11, 2020, 7:31am

logstash shows the following error. what is the error in configuration file?

VARSARAF-M-PAPE:~ varsaraf$ logstash -f /usr/local/etc/logstash/conf.d/syslog.conf
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /usr/local/Cellar/logstash/7.5.2/libexec/logs which is now configured via log4j2.properties
[2020-02-11T12:46:42,806][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-02-11T12:46:42,898][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.5.2"}
[2020-02-11T12:46:43,526][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 3, column 1 (byte 3) after \n\n", :backtrace=>["/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2584:in map'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:156:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/local/Cellar/logstash/7.5.2/libexec/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}
[2020-02-11T12:46:43,768][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-02-11T12:46:48,889][INFO ][logstash.runner ] Logstash shut down.

My configuration file is also given below-

input {
   file {
    path=>[ "/var/log/*.log", "/var/log/messages", "/var/log/syslog" ]
    type=>"syslog"
   }
  }
  

filter {
     if [type] == "syslog" {
      grok {
         match=> { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
         add_field=>[ "received_at", "%{@timestamp}" ]
         add_field=>[ "received_from", "%{host}" ]
          }
        syslog_pri { }
         date {
          match=>[ "syslog_timestamp", "MMM  dd HH:mm:ss", "MMM dd HH:mm:ss" ]          }
      }
    }

  output {
   elasticsearch {
      hosts=>["127.0.0.1:9200"]
      index=>"syslog-demo"
         }
       stdout { codec=>rubydebug }
    }

system · March 10, 2020, 7:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.