Logstash stopped processing because of an error

anushka1203 · April 13, 2022, 6:17am

Hi, I am trying to send multiple log files to different ES indices. However, Logstash shuts down due to an error. I am a beginner and I could use some help with the same.

here is my logstash conf file -

input {
  beats {
port => 5044
host => "localhost"
  }
}

filter{
       if "operational" in [tags]
       {    
         csv {
           separator => ","
           columns => ["record_id","record_type","system_ticks",	"system_date",	"system_time",	"power_on_counter",	"aircraft_id",	"temperature",	"L1_code",	"L2_code",	"L3_code",	"L4_code",	"L1_text",	"L2_text",	"L3_text",	"L4_text",	"additional_text",	"occurrence_count"]
             }
       } 
      
       else if "syslog" in [tags] 
       {
       grok {
       match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
       add_field => [ "received_at", "%{@timestamp}" ]
       add_field => [ "received_from", "%{host}" ]
       }
       syslog_pri {}
       date {
       match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
       }
       }

       else if "access" in [tags]
       {
         grok {
           match => { "message" => "%{COMBINEDAPACHELOG}"}
         }
       }
      

      else if "psw-logs" in [tags]
      {    
         csv {
         separator => ","
         columns => ["Component", "Level", "Thread",	"Date",	"File",	"Function",	"Target ID",	"Message"]
             }
      } 

      else if "audit" or "comm_audit" in [tags] 
      {
      grok {
      match => { "message" => "type=%{DATA:audit_type}\smsg=audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\):.*?( msg=\'(?<sub_msg>.*?)\')?$" }
      named_captures_only => true
      }
      kv {
      exclude_keys => [ "msg", "type" ]
      }
      kv {
      source => "sub_msg"
      }
      date {
      match => [ "audit_epoch", "UNIX" ]
      }
      mutate {
      rename => [
      "auid", "uid_audit",
      "fsuid", "uid_fs",
      "suid", "uid_set",
      "ses", "session_id"
      ]
      remove_field => ['sub_msg', 'audit_epoch']
       }
      }

      else if "radius" in [tags]
      {
        grok {
        match => { "message" => "%{HTTPDERROR_DATE:date}\s:\s%{LOGLEVEL:log}:%{GREEDYDATA:message}"}
        }
      }

      if "_grokparsefailure" in [tags] {
      drop { }
      }
    }
      
     
output {
  if "operational" in [tags] {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "operational logs"
    }
  stdout {codec =>  "rubydebug"}
  }

  else if "access" in [tags] {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "access logs"
    }
  stdout {codec =>  "rubydebug"}
  }

  else if "psw-logs" in [tags] {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "psw-logs"
    }
  stdout {codec =>  "rubydebug"}
  }

  else if "audit" or "comm_audit" in [tags] {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "audit logs"
    }
  stdout {codec =>  "rubydebug"}
  }

  else if "radius" or "detail" in [tags] {
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "radius"
    }
  stdout {codec =>  "rubydebug"}
  }
}

Thanks in advance for your time

zx8086 · April 13, 2022, 11:39am

Adding the error log will help identify the issue.

system · May 11, 2022, 11:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.