Hi,
I set the forwarding configuration in a vCenter server to the port of my Elastic server where Logstash is running and set port 9300. Now my Logstash config for this looks like this:
input {
tcp {
type => "FPS"
port => "9300"
tags => ["VMware,FPS"]
}
}
filter {
if [type] == "FPS" {
grok {
match => { "message" => [
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{GREEDYDATA:Task_type} %{WORD:Log_nivel} %{GREEDYDATA:Title} opId = ] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} %{INT:Process_id} - - Event \[%{INT:Evento_id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:log_close}\] \[%{GREEDYDATA:Title}\] \[%{WORD:Log_nivel}\] \[%{GREEDYDATA:User}\] \[%{DATA:Site}\] \[%{INT:Evento_id}\] \[%{GREEDYDATA:Message}\]",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} %{INT:HTTP_response_time} %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} %{IPV4:HTTP_ip_destino1}:%{INT:HTTP_destination_port1} %{IPV4:HTTP_ip_origen2}:%{INT:HTTP_port_origen2} %{IPV4:HTTP_ip_destino2}:%{INT:HTTP_puerto_destino2}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} %{INT:HTTP_response_time} %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} %{IPV4:HTTP_ip_destino1}:%{INT:HTTP_destination_port1} %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title} opId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\] %{WORD:Log_nivel}\s+opId=%{DATA:Op_id} - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] \[%{DATA:Tipo_unit}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - \[%{HTTPDATE:log_close}\] %{PROG:Process_log} \[%{WORD:HTTP_request}\] %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} to %{HOSTNAME:HTTP_team_target} %{INT:HTTP_destination_port1} - %{PROG:HTTP_version} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path}\s+[%{WORD:HTTP_response}\] %{INT:HTTP_code} - %{INT:HTTP_bytes} <span class="tr_" id="tr_0" data-source="" data-orig="bytes\s+\">bytes\s+\</span>[%{PROG:HTTP_log_proceso}\] process %{INT:Total_time}ms / commit %{INT:Time_connection}ms / conn \[\+\]",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log} \[%{DATA:Process_log}\] \[opID =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{DATA:Process_log}\] \[OpId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Process_log} \| %{DATA:Logging in} \| %{INT:Pid} \| %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Process_log} \| %{DATA:Logging in} \| %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+[%{TIMESTAMP_ISO8601:log_close}\] \[%{WORD:Log_nivel} \] %{PROG:Process_log} %{PROG:Task} %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\s+%{WORD:Log_nivel} %{GREEDYDATA:Title} opId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\s+%{WORD:Log_nivel} %{GREEDYDATA:Title} opId =%{PROG:Op_id} %{WORD:Nipu}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+[%{TIMESTAMP_ISO8601:log_close}\] %{WORD:Log_nivel}\[%{PROG:Process_log}\] - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{INT:Log_bytes} %{INT:Pid} %{PROG:Process_log} %{INT:HTTP_code} \"%{GREEDYDATA:Title}\" %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} procstate - - - %{DATA:User}\s+%{PROG:Log_pid}\s+%{DATA:CPU}\s+%{DATA:Memory}\s+%{DATA:MemoriaVirtual}\s+%{DATA:Memory Process}\s+%{DATA:TTY}\s+%{DATA:Stat}\s+%{DATA:Start Time}\s+%{DATA:Weather}\s+%{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sca - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process} \[%{PROG:Pool}\] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} applmgmt-audit - - - %{TIMESTAMP_ISO8601:log_close}: %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} applmgmt - - - %{TIMESTAMP_ISO8601:log_close} \[%{INT:Evento_id}\]%{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} procstate - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sca-vmon.std - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vsan-health-main - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} by-log4cpp - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vmcad - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} eam-main - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} cis-license - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vmdird - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sps-gc - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vstats - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vapi-runtime - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vpxd profiles - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} rsyslogd - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} trustmanagement-svcs - - - %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{SYSLOGTIMESTAMP:Date} %{PROG:Process_log}\[%{INT:Pid}\]: %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{TZ:Time zone} %{PROG:Process} %{INT:Log_id}\s+LOG:\s+%{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close}\| %{PROG:Process}\| I005: %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{PROG:Process} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} ui-access - - - %{IPV4:HTTP_ip_destino1} %{IPV4:HTTP_ip_origen1} - - \[%{HTTPDATE:Date}\] \"%{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}\" %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{DATA:HTTP_bytes_received} %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} it-access - - - %{IPV4:HTTP_ip_destino1} %{IPV4:HTTP_ip_origen1} - - \[%{HTTPDATE:Date}\] \[%{PROG:Process_log}\] \"%{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}\" %{INT:HTTP_code} %{PROG:HTTP_response_code} \[Processing time %{INT:Weather} <span class="tr_" id="tr_1" data-source="" data-orig="msec\">msec\</span>] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process}\]\[%{WORD:Log_nivel}\] %{PROG:Task}: %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{PROG:Process} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - \[%{TIMESTAMP_ISO8601:log_close}\] \[%{WORD:Log_nivel}\s+] %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} \| %{PROG:Process_log} \| %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} CROND %{INT:Pid} - - \(%{USERNAME:User}\) CMD \(%{GREEDYDATA:Message}\)",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Evento_id}\ \| %{PROG:Process} \| %{DATA:Task} \| %{GREEDYDATA:Message}",
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{PROG:Process_log} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}"
]
}
}
}
}
output {
if ([type]=="FPS"){
elasticsearch {
index => "vmware_vcsa-%{+YYYY.MM.dd}"
hosts => "localhost:9200"
protocol => "https"
username => "elastic_logstash_admin"
password => "***"
}
}
}
Leider erscheint nach Neustart des Logstash-Services immer folgender Fehler:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\", \"]\" at line 3, column 13 (byte 39) after output {\n\telasticsearch {\n\t\thosts => [", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:931:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}
Where exactly is my error now? Or how can I better understand the error? As I understand it, the message in row 1, column 13 does not fit somehow. But the index has not even been created yet.
Thanks for any help.