Logstash - Simple Log Ingest

slash665 · September 3, 2020, 12:53pm

Hello there,

I'm a total newb to ELK, so at this point I am just trying to ingest a log file from a specific path using a logstash configuration file in conf.d . it's just not working, however...

This is what my conf file looks like:

                file {
                        path => "/home/admin/Documents/secure"
                        start_position => beginning
                }
        }

        filter {
                grok {
                        match => { "message" => "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])? %{DATA:system.auth.ssh.event} %{DATA:system.auth.sshmethod} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})? }
                }
        }

        output {
                elasticsearch {
                        hosts => "http://localhost:9200"
                        index => "securelog"
                }
        }

And this is what I get when I test it

        WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
        Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
        [INFO ] 2020-09-03 14:50:10.127 [main] runner - Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
        [WARN ] 2020-09-03 14:50:10.751 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
        [FATAL] 2020-09-03 14:50:11.562 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "{", "}" at line 16, column 13 (byte 521) after filter {
        	grok {
        		match => { "message" => "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\\[%{POSINT:system.auth.pid}\\])? %{DATA:system.auth.ssh.event} %{DATA:system.auth.sshmethod} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})? }
        	}
        }
        		
        output {
        	elasticsearch {
        		hosts => "
        [ERROR] 2020-09-03 14:50:11.566 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

It seems like this should be super simple, but i just cant get it to work

Any advice would be greatly appreciated!

slash665 · September 3, 2020, 1:22pm

Nevermind, I need a better text editor. It was missing quotation marks in the grok filter..

system · October 1, 2020, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not able to Run Logstash .Conf file in ELK 5.4 (Current) Version Logstash	5	5807	July 24, 2017
WARNING: Could not find logstash.yml Logstash	19	36248	February 20, 2017
Logstash asking filter file path Logstash	7	926	November 12, 2018
N00b: E on bro problem Logstash	5	784	April 9, 2017
Logstash Config Files (Am I doing something wrong) Logstash	8	655	June 19, 2019

Logstash - Simple Log Ingest

Related topics