Logstash with multiple inputs and outputs

Megha_Shree · February 13, 2019, 3:10pm

HI All,
I am trying to send rsyslog and gelf msgs from logstash to Graylog server
I am getting the below error
:reason=>"Expected one of #, { at line 18, column 12 (byte 207) after output {\n if [type] == "rsyslog\

my config file looks like this
input {
udp {
host => "0.0.0.0"
port => 10514
type => "rsyslog"
}
udp {
host => "0.0.0.0"
port => 12205
type => "gelf"
}
}

filter {}

output {
if [type] == "rsyslog" {
host => "172.16.0.27"
port => 12201
protocol => "tcp"
}
if [type] == "gelf" {
host => "172.16.0.27"
port => 12202
protocol => "tcp"
}
stdout {}

}
can someone suggest please!!

Badger · February 13, 2019, 3:28pm

host is an option to an output. You have left out the output name.

Megha_Shree · February 13, 2019, 3:58pm

so should I add a name field here like name => "syslog". I am very new to this.

Thanks in advance

Badger · February 13, 2019, 4:00pm

If you want to use a syslog output then yes, change

host => "172.16.0.27"
port => 12201
protocol => "tcp"

to be

syslog {
host => "172.16.0.27"
port => 12201
protocol => "tcp"
}

Similarly for the type gelf

Megha_Shree · February 13, 2019, 4:07pm

still the same error. btw how does it gets to know which input to convert into which output format when we have multiple inputs.

Badger · February 13, 2019, 4:13pm

Exactly the same error? Same line and column numbers?

If you have multiple input and outputs then it sends events from all the inputs to all the outputs unless you use conditionals to change that.

Megha_Shree · February 13, 2019, 4:20pm

ok thanks.. sorry, this time its different
logstash.outputs.gelf ] Invalid setting for gelf output plugin:

output {
gelf {
# This setting must be a ["TCP", "UDP"]
# Expected one of ["TCP", "UDP"], got ["tcp"]
protocol => "tcp"
...
}
}
[2019-02-13T16:15:11,315][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Something is wrong with your configuration."}

I have changed the typr from tcp to TCP still the error continues

Badger · February 13, 2019, 4:38pm

I find that error goes away if you change "tcp" to "TCP". You may have to restart.

Megha_Shree · February 13, 2019, 4:55pm

I have changed the config file and restarted the machine
but now it is saying something wrong with syslog output

output {
syslog {
# This setting must be a ["tcp", "udp", "ssl-tcp"]
# Expected one of ["tcp", "udp", "ssl-tcp"], got ["TCP"]
protocol => "TCP"
...
}
}

any idea?

Badger · February 13, 2019, 5:04pm

For a gelf output protocol has to be TCP, for a tcp output it has to be tcp.

Logstash is full of little inconsistencies like this

Megha_Shree · February 13, 2019, 5:15pm

yea.. I was doing other way round.
Thanks a ton .. now my logstash works fine.

system · March 13, 2019, 5:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Syslog input to gelf output not working Logstash	1	1179	July 6, 2017
Drop logs that does not contains type syslog Logstash	3	409	December 30, 2019
"SocketError: send: name or service not known" on using GELF output plugin Logstash	4	3121	July 6, 2017
If conditional with multiple outputs Logstash	7	13156	May 22, 2019
Weird field/output issues Logstash	3	334	August 22, 2019

Logstash with multiple inputs and outputs

Related topics