Hello Greetings,
Can some one help us to fix as we start logstash service it stops with in few minutes and logs shows with the below error,
{:timestamp=>"2015-11-30T13:04:07.450000-0600", :message=>"The error reported is: \n pattern %{HOST:WebSiteName} not defined"}
~
What version are you on, what does your config look like?
Version: logstash1.5
30-lumberjack-output.conf
output {
stdout { codec => rubydebug }
if [URI] != ""{
elasticsearch {
host => "testlogs.com"
cluster => "ElasticLogs"
protocol=> "http"
index => "weblogs-%{+YYYY.MM.dd}"
manage_template => "false"
}
}
else{
elasticsearch {
host => "testlogs.com"
cluster => "ElasticLogs"
protocol=> "http"
index => "errorlog-%{+YYYY.MM.dd}"
manage_template => "false"
}
}
}
01-lumberjack-input.conf
input {
lumberjack {
port => 5043
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
Okay, those are the input and outputs but what about the grok filters (or whatever is producing the error message)?
here you go .
filter {
grok {
match => {
'message' => '\A%{TIMESTAMP_ISO8601:DateTime}%{SPACE}%{URIPATHPARAM:URI}%{SPACE}%{INT:Status}%{SPACE}%{QUOTEDSTRING:ComputerName}%{SPACE}%{QUOTEDSTRING:Referer}%{SPACE}%{INT:Win32Status}%{SPACE}%{NUMBER:BytesSent}%{SPACE}%{NUMBER:BytesReceived}%{SPACE}%{QUOTEDSTRING:UserAgent}%{SPACE}%{IP:ServerIP}%{SPACE}%{INT:ServerPort}%{SPACE}%{QUOTEDSTRING:Protocol}%{SPACE}%{PROG:Method}%{SPACE}%{IP:ClientIP}%{SPACE}%{NUMBER:TimeTaken}%{SPACE}%{NUMBER:RequestPerSecond}%{SPACE}%{HOST:WebSiteName}%{SPACE}%{GREEDYDATA:QRY}'
}
}
# The timestamp may have commas instead of dots. Convert so as to store everything in the same way
mutate {
gsub => [
# replace all commas with dots
"DateTime", ",", "."
]
}
mutate {
gsub => [
# make the logTimestamp sortable. With a space, it is not! This does not work that well, in the end
# but somehow apparently makes things easier for the date filter
"DateTime", " ", ";"
]
}
# User Agent
useragent {
add_tag => [ "UA" ]
source => "UserAgent"
}
date {
locale => "en"
match => ["DateTime", "YYYY-MM-dd;HH:mm:ss.SSS"]
target => "@timestamp"
}
if [type] == "IISlogs" {
if [UserAgent] != "-" and [UserAgent] != "" {
useragent {
add_tag => [ "UA" ]
source => "UserAgent"
}
}
if "UA" in [tags] {
if [device] == "Other" { mutate { remove_field => "device" } }
if [name] == "Other" { mutate { remove_field => "name" } }
if [os] == "Other" { mutate { remove_field => "os" } }
}
}
geoip {
source => "ClientIP"
target => "geoip"
database =>"/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
convert => [ "BytesSent", "integer" ]
convert => [ "BytesReceived", "integer" ]
convert => [ "RequestsPerSecond", "integer" ]
}
}
That's odd. HOST is definitely a valid pattern in Logstash 1.5. Does the problem go away if you delete that part from the grok expression? Have you double-checked that you don't have any weird non-printable characters in the expression? What's actually in your grok pattern files (have a look in /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-*/patterns/grok-patterns)?
Yes, I tried {HOST:WebSiteName} changing this Grok pattern to {HOSTNAME:WebSiteName} and it works like charm.
Thanks.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.