LogStash::Json::ParserError: Unrecognized token : was expecting ('true', 'false' or 'null')

Hi,

I have trouble sending data from my logstash to another one.

here is the error I have :

[2019 - 07 - 05T10: 50: 13, 107][WARN][logstash.codecs.jsonlines]JSON parse error, original data now in message field {
	: error =>  #  < LogStash::Json::ParserError: Unrecognized token 'Loading': was expecting('true', 'false' or 'null')
	at[Source: (String)"Loading archive '46deb6d4-20ed-45e6-bbcf-7bcccf0cd0d1' to hosts running selected API Gateways...Deploying to API Gateway 'GW-1'...Completed successfully.Gateway instance [GW-1] deployed with [0] error(s).";
		line: 1, column: 8] > ,
	: data => "Loading archive '46deb6d4-20ed-45e6-bbcf-7bcccf0cd0d1' to hosts running selected API Gateways...Deploying to API Gateway 'GW-1'...Completed successfully.Gateway instance [GW-1] deployed with [0] error(s)."
}

Here is an example of an input sent to the logstash:

{
	"@timestamp": "2019-07-03T10:54:54.404Z",
	"@metadata": {
		"beat": "filebeat",
		"type": "_doc",
		"version": "7.0.1"
	},
	"log": {
		"file": {
			"path": "/appl/api/logs/LastDeployement_normal.log"
		},
		"offset": 45
	},
	"message": "Loading archive '46deb6d4-20ed-45e6-bbcf-7bcccf0cd0d1' to hosts running selected API Gateways...",
	"input": {
		"type": "log"
	},
	"fields": {
		"log_type": "deployement",
		"app": "api",
		"context": "dmz_back",
		"env": "uat",
		"component": "admin_node_manager"
	},
	"ecs": {
		"version": "1.0.0"
	},
	"host": {
		"name": "z98sl0681db"
	},
	"agent": {
		"type": "filebeat",
		"ephemeral_id": "f0c71f0c-a224-49a4-8ed7-edfe04898a28",
		"hostname": "z98sl068db",
		"id": "c2fb26d2-05bc-4bdd-a103-cf531dbe4ac4",
		"version": "7.0.1"
	}
}
{
	"@timestamp": "2019-07-03T10:54:54.405Z",
	"@metadata": {
		"beat": "filebeat",
		"type": "_doc",
		"version": "7.0.1"
	},
	"fields": {
		"log_type": "deployement",
		"app": "api",
		"context": "dmz_back",
		"env": "uat",
		"component": "admin_node_manager"
	},
	"input": {
		"type": "log"
	},
	"ecs": {
		"version": "1.0.0"
	},
	"host": {
		"name": "z98sl068i1db"
	},
	"agent": {
		"ephemeral_id": "f0c71f0c-a224-49a4-8ed7-edfe04898a28",
		"hostname": "z98sl068i1db",
		"id": "c2fb26d2-05bc-4bdd-a103-cf531dbe4ac4",
		"version": "7.0.1",
		"type": "filebeat"
	},
	"log": {
		"offset": 220,
		"file": {
			"path": "/appl/api/LastDeployement_normal.log"
		}
	},
	"message": "Deploying to API Gateway 'GW-1'..."
}

And so nothing arrive to the second logstash because the first one can't send it.

I add that logstash configuration is empty as you can see:

input {
        beats {
                port => 5044
                client_inactivity_timeout => 360
                codec => json_lines
        }

}

output {
        lumberjack {
                codec => json_lines
                hosts => ["parser01", "parser02"]
                ssl_certificate => "/appl/elk/logstash/conf.d/ssl/lumberjack.cert"
                port => 5443
        }
}

any idea ?

What is the configuration at the other end?

Hi @Badger,

here is the configuration on the other end

input {

        beats {
        port => 5044
        }

        beats {
                codec => json_lines
                port => 5443
                ssl => true
                ssl_certificate => "/appl/elk/logstash/conf.d/ssl/lumberjack.cert"
                ssl_key => "/appl/elk/logstash/conf.d/ssl/lumberjack.key"
                client_inactivity_timeout => 360
        }

        tcp {
            port => 5000
            type => syslog
            codec => json_lines
        }
}

I use the second input of course.

And I just try to get the message from the log with this

			mutate {
				add_field => {
				"api_deployment_message" => "message"
				}
			}

Hi,

I tried a new thing here is the Filebeat configuration:

- type: log
  paths:
    - /appl/api/axway/apigateway/policydeployment_logs/*DSI*normal.log*
  fields:
    app: api
    bu: DSI
    context: dmz_back
    env: prod
    component: admin_node_manager
    log_type: deployement
  multiline.pattern: '^Deploying to API Gateway|^Deployed to|^Completed|^Gateway instance'
  multiline.negate: false
  multiline.match: after
  exclude_files: ['\.gz$']

and then in the logstash we have this

  mutate {
                        add_field => {
                                "api_deployment_message" => "%{[message]}"
                                }
                        }
                        json {
                                source => "message"
                                target => "json"
                        }
                        date {
                                match  => ["[json][timeStamp]", "UNIX_MS"]
                                target => "@timestamp"
                        }
                        mutate {
                                remove_tag => [ "beats_input_codec_plain_applied", "beats_input_codec_json_applied" ]
                                remove_field => [ "json","beat","message" ]
                        }
                }

Here is what i got in the logstash log

[2019-07-17T10:36:46,919][WARN ][logstash.filters.json    ] Error parsing json {:source=>"message", :raw=>"Deployed to API Gateway 'GW-2' successfully.\nCompleted successfully.\nGateway instance [GW-1] deployed with [16] error(s).\nGateway instance [GW-2] deployed with [16] error(s).", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'Deployed': was expecting ('true', 'false' or 'null')
 at [Source: (byte[])"Deployed to API Gateway 'GW-2' successfully.
Completed successfully.
Gateway instance [GW-1] deployed with [16] error(s).
Gateway instance [GW-2] deployed with [16] error(s)."; line: 1, column: 10]>}

I presume it's because it expecting JSON data and that is not a json data ? How could I transform my data to be in json format if that the problem ?

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.