LogStash returns an error in connection with VMWare

heisenberg93 · November 16, 2023, 2:23pm

Hi,

I set the forwarding configuration in a vCenter server to the port of my Elastic server where Logstash is running and set port 9300. Now my Logstash config for this looks like this:

input {
        tcp {
                type => "FPS"
                port => "9300"
                tags => ["VMware,FPS"]
        }
}
filter {
        if [type] == "FPS" {
                        grok {
                            match => { "message" => [
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{GREEDYDATA:Task_type} %{WORD:Log_nivel} %{GREEDYDATA:Title} opId = ] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} %{INT:Process_id} - -  Event \[%{INT:Evento_id}\] \[1-1\] \[%{TIMESTAMP_ISO8601:log_close}\] \[%{GREEDYDATA:Title}\] \[%{WORD:Log_nivel}\] \[%{GREEDYDATA:User}\] \[%{DATA:Site}\] \[%{INT:Evento_id}\] \[%{GREEDYDATA:Message}\]",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} %{INT:HTTP_response_time} %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} %{IPV4:HTTP_ip_destino1}:%{INT:HTTP_destination_port1} %{IPV4:HTTP_ip_origen2}:%{INT:HTTP_port_origen2} %{IPV4:HTTP_ip_destino2}:%{INT:HTTP_puerto_destino2}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} %{INT:HTTP_response_time} %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} %{IPV4:HTTP_ip_destino1}:%{INT:HTTP_destination_port1} %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title} opId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\] %{WORD:Log_nivel}\s+opId=%{DATA:Op_id} - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] \[%{DATA:Tipo_unit}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{INT:Evento_id}\] \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - \[%{HTTPDATE:log_close}\] %{PROG:Process_log} \[%{WORD:HTTP_request}\] %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} to %{HOSTNAME:HTTP_team_target} %{INT:HTTP_destination_port1} - %{PROG:HTTP_version} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path}\s+[%{WORD:HTTP_response}\] %{INT:HTTP_code} - %{INT:HTTP_bytes} <span class="tr_" id="tr_0" data-source="" data-orig="bytes\s+\">bytes\s+\</span>[%{PROG:HTTP_log_proceso}\] process %{INT:Total_time}ms / commit %{INT:Time_connection}ms / conn \[\+\]",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log} \[%{DATA:Process_log}\] \[opID =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\[%{DATA:Process_log}\] \[OpId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Process_log} \| %{DATA:Logging in} \| %{INT:Pid} \| %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Process_log} \| %{DATA:Logging in} \| %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+[%{TIMESTAMP_ISO8601:log_close}\] \[%{WORD:Log_nivel} \] %{PROG:Process_log} %{PROG:Task} %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\s+%{WORD:Log_nivel} %{GREEDYDATA:Title} opId =%{PROG:Op_id}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process_log}\s+%{WORD:Log_nivel} %{GREEDYDATA:Title} opId =%{PROG:Op_id} %{WORD:Nipu}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+[%{TIMESTAMP_ISO8601:log_close}\] %{WORD:Log_nivel}\[%{PROG:Process_log}\] - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{INT:Log_bytes} %{INT:Pid} %{PROG:Process_log} %{INT:HTTP_code} \"%{GREEDYDATA:Title}\" %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} procstate - - - %{DATA:User}\s+%{PROG:Log_pid}\s+%{DATA:CPU}\s+%{DATA:Memory}\s+%{DATA:MemoriaVirtual}\s+%{DATA:Memory Process}\s+%{DATA:TTY}\s+%{DATA:Stat}\s+%{DATA:Start Time}\s+%{DATA:Weather}\s+%{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sca - - -\s+%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process} \[%{PROG:Pool}\] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} applmgmt-audit - - - %{TIMESTAMP_ISO8601:log_close}: %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} applmgmt - - - %{TIMESTAMP_ISO8601:log_close} \[%{INT:Evento_id}\]%{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} procstate - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sca-vmon.std - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vsan-health-main - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} by-log4cpp - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vmcad - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} eam-main - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} cis-license - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vmdird - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} sps-gc - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vstats - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vapi-runtime - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} vpxd profiles - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} rsyslogd - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} trustmanagement-svcs - - - %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{SYSLOGTIMESTAMP:Date} %{PROG:Process_log}\[%{INT:Pid}\]: %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{TZ:Time zone} %{PROG:Process} %{INT:Log_id}\s+LOG:\s+%{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close}\| %{PROG:Process}\| I005: %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{PROG:Process} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} ui-access - - - %{IPV4:HTTP_ip_destino1} %{IPV4:HTTP_ip_origen1} - - \[%{HTTPDATE:Date}\] \"%{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}\" %{INT:HTTP_code} %{PROG:HTTP_response_code} - %{DATA:HTTP_bytes_received} %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} it-access - - - %{IPV4:HTTP_ip_destino1} %{IPV4:HTTP_ip_origen1} - - \[%{HTTPDATE:Date}\] \[%{PROG:Process_log}\] \"%{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}\" %{INT:HTTP_code} %{PROG:HTTP_response_code} \[Processing time %{INT:Weather} <span class="tr_" id="tr_1" data-source="" data-orig="msec\">msec\</span>] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} \[%{PROG:Process}\]\[%{WORD:Log_nivel}\] %{PROG:Task}: %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{PROG:Process} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - \[%{TIMESTAMP_ISO8601:log_close}\] \[%{WORD:Log_nivel}\s+] %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} \| %{PROG:Process_log} \| %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} CROND %{INT:Pid} - - \(%{USERNAME:User}\) CMD \(%{GREEDYDATA:Message}\)",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} \|\s+%{WORD:Log_nivel} \| %{PROG:Evento_id}\ \| %{PROG:Process} \| %{DATA:Task} \| %{GREEDYDATA:Message}",
                              "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\s+%{TIMESTAMP_ISO8601:log_close} %{PROG:Process_log} %{WORD:Log_nivel} %{PROG:Task} %{GREEDYDATA:Message}"
                                       ]
                            }
                        }
        }
}
output {
        if ([type]=="FPS"){
                elasticsearch {
                   index => "vmware_vcsa-%{+YYYY.MM.dd}"
                   hosts => "localhost:9200"
                   protocol => "https"
                   username => "elastic_logstash_admin"
                   password => "***"
                }
        }
}

Leider erscheint nach Neustart des Logstash-Services immer folgender Fehler:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\", \"]\" at line 3, column 13 (byte 39) after output {\n\telasticsearch {\n\t\thosts => [", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:931:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}

Where exactly is my error now? Or how can I better understand the error? As I understand it, the message in row 1, column 13 does not fit somehow. But the index has not even been created yet.

Thanks for any help.

Badger · November 16, 2023, 5:32pm

You say that your configuration has hosts => "localhost:9200", but logstash says that it has

output {
    elasticsearch {
        hosts => [

You are not running the configuration that you think you are running. Whatever is the first entry in the hosts array is not a valid URL.

heisenberg93 · November 29, 2023, 9:24am

Thanks for your help. Okay, I have uncovered the error of another configuration. Unfortunately, the config I created above for vcenter still doesn't work. The error now appears:

:message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \",\", \"]\" at line 20, column 455 (byte 3896) 
after filter {\n        if [type] == \"FPS\" {\n                        grok {\n                            
match => { \"message\" => [\n                              
\"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -
\\s+%{TIMESTAMP_ISO8601:log_close} \\[%{GREEDYDATA:Task_type} %{WORD:Log_nivel} %{GREEDYDATA:Title} opId = ] %{GREEDYDATA:Message}\",\n                              
\"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} %{INT:Process_id} - -  
Event \\[%{INT:Evento_id}\\] \\[1-1\\] \\[%{TIMESTAMP_ISO8601:log_close}\\] \\[%{GREEDYDATA:Title}\\] \\[%{WORD:Log_nivel}\\] 
\\[%{GREEDYDATA:User}\\] \\[%{DATA:Site}\\] \\[%{INT:Evento_id}\\] \\[%{GREEDYDATA:Message}\\]\",\n                              
\"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - 
%{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\\[%{INT:Evento_id}\\] \\
[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\\] %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} 
%{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} %{PROG:HTTP_response_code} - 
%{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} %{INT:HTTP_response_time}
 %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} %{IPV4:HTTP_ip_destino1}
 :%{INT:HTTP_destination_port1} %{IPV4:HTTP_ip_origen2}:%{INT:HTTP_port_origen2} %{IPV4:HTTP_ip_destino2}:%{INT:HTTP_puerto_destino2}\",\n                             
 \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} 
 %{WORD:Log_nivel} %{PROG:Process_log}\\[%{INT:Evento_id}\\] \\[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\\] 
 %{TIMESTAMP_ISO8601:HTTP_date} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version} %{INT:HTTP_code} 
 %{PROG:HTTP_response_code} - %{INT:HTTP_bytes_received} %{INT:HTTP_bytes_enviados} %{INT:HTTP_duration} 
 %{INT:HTTP_response_time} %{INT:HTTP_req_forwarder} %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1}
 %{IPV4:HTTP_ip_destino1}:%{INT:HTTP_destination_port1} %{GREEDYDATA:Message}\",\n                              
 \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - 
 %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\\[%{INT:Evento_id}\\] 
 \\[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title} opId =%{PROG:Op_id}\\] %{GREEDYDATA:Message}\",\n                         
 \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - -\\s+%{TIMESTAMP_ISO8601:log_close}
 \\[%{PROG:Process_log}\\] %{WORD:Log_nivel}\\s+opId=%{DATA:Op_id} - %{GREEDYDATA:Message}\",\n                             
 \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close}
 %{WORD:Log_nivel} %{PROG:Process_log}\\[%{INT:Evento_id}\\] \\[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\\] 
 \\[%{DATA:Tipo_unit}\\] %{GREEDYDATA:Message}\",\n                              \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} 
 %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - %{TIMESTAMP_ISO8601:log_close} %{WORD:Log_nivel} %{PROG:Process_log}\\[%{INT:Evento_id}\\] \
 \[%{GREEDYDATA:Originator} sub=%{GREEDYDATA:Title}\\] %{GREEDYDATA:Message}\",\n                           
 \"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - 
 \\[%{HTTPDATE:log_close}\\] %{PROG:Process_log} \\[%{WORD:HTTP_request}\\] %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} 
 to %{HOSTNAME:HTTP_team_target} %{INT:HTTP_destination_port1} - %{PROG:HTTP_version} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path}\
 \s+[%{WORD:HTTP_response}\\] %{INT:HTTP_code} - %{INT:HTTP_bytes} <span class=\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_im
 perative'", "org/logstash/execution/AbstractPipelineExt.java:239:in `initialize'", "org/logstash/execution/AbstractPipelineExt.java:173:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:931:in `new'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}

Do you have a solution for this?

Rios · November 29, 2023, 2:09pm

Your .conf file is not OK, test your configuration with -t option and you will find errors in lines 20 and 53. The problem is a quote under the quotes. You should use " something... \"...\"... again something" or single quotes ' something... "" ... again something'

The line 20:
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} %{PROG:Log_name} - - - \[%{HTTPDATE:log_close}\] %{PROG:Process_log} \[%{WORD:HTTP_request}\] %{IPV4:HTTP_ip_origen1}:%{INT:HTTP_port_origen1} to %{HOSTNAME:HTTP_team_target} %{INT:HTTP_destination_port1} - %{PROG:HTTP_version} %{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path}\s+[%{WORD:HTTP_response}\] %{INT:HTTP_code} - %{INT:HTTP_bytes} <span class=\"tr_\" id=\"tr_0\" data-source=\"\" data-orig=\"bytes\s+\">bytes\s+\</span>[%{PROG:HTTP_log_proceso}\] process %{INT:Total_time}ms / commit %{INT:Time_connection}ms / conn \[\+\]",

The line 53:
"<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:Date} %{HOSTNAME:Server_VCSA} it-access - - - %{IPV4:HTTP_ip_destino1} %{IPV4:HTTP_ip_origen1} - - \[%{HTTPDATE:Date}\] \[%{PROG:Process_log}\] \"%{WORD:HTTP_log_accion} %{UNIXPATH:HTTP_path} %{PROG:HTTP_version}\" %{INT:HTTP_code} %{PROG:HTTP_response_code} \[Processing time %{INT:Weather} <span class=\"tr_\" id=\"tr_1\" data-source=\"\" data-orig=\"msec\">msec\</span>] %{GREEDYDATA:Message}",

And port is the number type: port => 9300

system · December 27, 2023, 2:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Use logstash to connect VMware vCenter API? Logstash	8	681	January 3, 2024
Configuration Logstash 8.6.1 for monitoring VMWare server Logstash	3	320	June 27, 2023
Failure when parsing logs -> results in a lot of worthless Logs Logstash	4	426	June 11, 2020
How to get CPU, Memory and Storage from VCenter not VM's using Logstash Logstash	1	210	June 28, 2023
VMware/vCenter logging Logstash	1	531	November 21, 2018

LogStash returns an error in connection with VMWare

Related topics