Logstash

can somebody help me
when i excute the logstash this error appear
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2021-04-14 06:53:41.976 [main] runner - Starting Logstash {"logstash.version"=>"7.12.0", "jruby.version"=>"jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 11.0.10+9 on 11.0.10+9 +indy +jit [linux-x86_64]"}
[WARN ] 2021-04-14 06:53:42.376 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2021-04-14 06:53:43.585 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[ERROR] 2021-04-14 06:53:44.401 [Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 146, column 1 (byte 3687) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in block in converge_state'"]}
[INFO ] 2021-04-14 06:53:44.472 [LogStash::Runner] runner - Logstash shut down.
ant this my configuration :slight_smile:
input {
beats {
port => 5044
}
}

filter {
if [type] == "auth" {
grok {
match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date {
locale => "en"
match => [ "timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss" ]
timezone => "Europe/Berlin"
}

    if [message] =~ /^pam_/ {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{PAM}" }
            add_tag => [ "_grok_pam_success" ]
        }
        if [pam_kvdata] {
            mutate {
                gsub => [ "pam_kvdata", "= ", '=- ' ]
            }
            kv {
                source => "pam_kvdata"
                prefix => "pam_"
            }
            mutate {
                remove_field => [ "pam_kvdata" ]
            }
        }
    }

    if [program] == "sshd" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SSH_AUTHFAIL_WRONGCREDS}" }
            add_field => { "ssh_authresult" => "fail" "ssh_failreason" => "wrong_credentials" }
            add_tag => [ "_grok_sshd_success", "matched" ]
        }
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SSH_AUTHFAIL_WRONGUSER}" }
            add_field => { "ssh_authresult" => "fail" "ssh_failreason" => "unknown_user" }
            add_tag => [ "_grok_sshd_success", "matched" ]
        }
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SSH_AUTH_SUCCESS}" }
            add_field => { "ssh_authresult" => "success" }
            add_tag => [ "_grok_sshd_success", "matched" ]
        }
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SSH_DISCONNECT}" }
            add_tag => [ "_grok_sshd_success", "matched", "ssh_disconnect" ]
        }
        mutate {
            remove_tag => [ "matched", "_grokparsefailure" ]
        }
        geoip {
            source => "ssh_client_ip"
        }
    }

    if [program] == "sudo" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SUDO}" }
            add_tag => [ "_grok_sudo_success" ]
        }
    }

    if [program] == "su" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SU}" }
            add_tag => [ "_grok_su_success" ]
        }
    }

    if [program] == "systemd-logind" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{SYSTEMD_LOGIND}" }
            add_tag => [ "_grok_systemd_logind_success" ]
        }
    }

    if [program] in [ "useradd", "groupadd" ] {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{ACCOUNT_ADD}" }
            add_field => { "account_action" => "create" }
            add_tag => [ "_grok_new_account_success" ]
        }
        if [account_kvdata] {
            mutate {
                gsub => [ "account_kvdata", ", ", '|' ]
            }
            kv {
                source => "account_kvdata"
                prefix => "account_"
                field_split => "|"
            }
            mutate {
                remove_field => [ "account_kvdata" ]
            }
        }
    }

    if [program] == "usermod" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{USERMOD}" }
            add_tag => [ "_grok_usermod_success" ]
        }
    }

    if [program] == "userdel" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{USERDEL}" }
            add_tag => [ "_grok_userdel_success" ]
        }
        mutate {
            gsub => [ "account_action", "remove", "delete" ]
        }
    }

    if [program] == "groupdel" {
        grok {
            patterns_dir   => "${LL_PATTERN_DIR:/etc/logstash/patterns.d}"
            match => { "message" => "%{GROUPDEL}" }
            add_field => { "account_action" => "delete" }
            add_tag => [ "_grok_groupdel_success" ]
        }
    }
}

}
}
output {
file {
path => "/data/test_filter3.txt"
codec => line { format => "custom format: %{message}"}

    }

}

Remove two of those }

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.