Logstash - Simple Log Ingest

Hello there,

I'm a total newb to ELK, so at this point I am just trying to ingest a log file from a specific path using a logstash configuration file in conf.d . it's just not working, however...

This is what my conf file looks like:

                file {
                        path => "/home/admin/Documents/secure"
                        start_position => beginning
                }
        }

        filter {
                grok {
                        match => { "message" => "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])? %{DATA:system.auth.ssh.event} %{DATA:system.auth.sshmethod} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})? }
                }
        }

        output {
                elasticsearch {
                        hosts => "http://localhost:9200"
                        index => "securelog"
                }
        }

And this is what I get when I test it

        WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
        Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
        [INFO ] 2020-09-03 14:50:10.127 [main] runner - Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
        [WARN ] 2020-09-03 14:50:10.751 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
        [FATAL] 2020-09-03 14:50:11.562 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "{", "}" at line 16, column 13 (byte 521) after filter {
        	grok {
        		match => { "message" => "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])? %{DATA:system.auth.ssh.event} %{DATA:system.auth.sshmethod} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})? }
        	}
        }
        		
        output {
        	elasticsearch {
        		hosts => "
        [ERROR] 2020-09-03 14:50:11.566 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

It seems like this should be super simple, but i just cant get it to work :frowning:

Any advice would be greatly appreciated!

Nevermind, I need a better text editor. It was missing quotation marks in the grok filter..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.