Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{CISCOTIMESTAMPTZ:log_date} not defined>

adam.wendling · November 28, 2017, 9:22pm

I am new to logstash. I am able to write and use simple .conf files and they work. I am trying a more complex and not getting very far. I am getting errors when trying to run logstash config. I ran with --debug and got the below. Any help is appreciated. Thanks in advance.

sudo bin/logstash -f /etc/logstash/conf.d/cisco_syslog.conf --debug

[DEBUG] 2017-11-28 21:10:17.916 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] DateFilter - Date filter with format=YYYY MMM dd HH:mm:ss ZZZ, locale=null, timezone=null built as org.logstash.filters.parser.JodaParser
[DEBUG] 2017-11-28 21:10:17.917 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] DateFilter - Date filter with format=YYYY MMM dd HH:mm:ss.SSS, locale=null, timezone=null built as org.logstash.filters.parser.JodaParser
[DEBUG] 2017-11-28 21:10:17.930 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] DateFilter - Date filter with format=ISO8601, locale=null, timezone=null built as org.logstash.filters.parser.CasualISO8601Parser
[ERROR] 2017-11-28 21:10:19.528 [[main]-pipeline-manager] pipeline - Error registering plugin {:pipeline_id=>"main", :plugin=>"#<LogStash::FilterDelegator:0x20fc799 @metric_events_out=org.jruby.proxy.org.logstash.instrument.metrics.counter.LongCounter$Proxy2 - namespace: [s
tats, pipelines, main, plugins, filters, e66e8ba4c7b867bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a, events] key: out value:0, @metric_events_in=org.jruby.proxy.org.logstash.instrument.metrics.counter.LongCounter$Proxy2 - namespace: [stats, pipelines, main, plugins, f
ilters, e66e8ba4c7b867bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a, events] key: in value:0, @logger=#<LogStash::Logging::Logger:0x5c390f0e @logger=#<Java::OrgApacheLoggingLog4jCore::Logger:0x2c1e9ae1>>, @metric_events_time=org.jruby.proxy.org.logstash.instrument.metr
ics.counter.LongCounter$Proxy2 - namespace: [stats, pipelines, main, plugins, filters, e66e8ba4c7b867bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a, events] key: duration_in_millis value:0, @id=\"e66e8ba4c7b867bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a\", @klass
=LogStash::Filters::Grok, @metric_events=#<LogStash::Instrument::NamespacedMetric:0x76d86606 @metric=#<LogStash::Instrument::Metric:0x620d46ac @collector=#<LogStash::Instrument::Collector:0x3a1c119e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0xae59444 @st
ore=#<Concurrent::Map:0x00000000000fb4 entries=3 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x3f383b48>, @fast_lookup=#<Concurrent::Map:0x00000000000fb8 entries=81 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :main, :plugins, :filters, :e66e8ba4c7b867
bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a, :events]>, @filter=<LogStash::Filters::Grok patterns_dir=>[\"/opt/logstash/patterns/cisco_syslog\"], match=>{\"message\"=>[\"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_
REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_
REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\", \"%{SYSLOG5424PRI}(%{NUMBER:log_sequence
#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}\"]}, overwrite=>[\"message\"], add_tag=>[\"cisco\"], remove_field=>[\"syslog5424_pri\", \"@version\"], id=
>\"e66e8ba4c7b867bc99c1ccc72631a0a932c029b6621906596b13d9e253e3f30a\", enable_metric=>true, periodic_flush=>false, patterns_files_glob=>\"*\", break_on_match=>true, named_captures_only=>true, keep_empty_captures=>false, tag_on_failure=>[\"_grokparsefailure\"], timeout_milli
s=>30000, tag_on_timeout=>\"_groktimeout\">>", :error=>"pattern %{CISCOTIMESTAMPTZ:log_date} not defined", :thread=>"#<Thread:0x6dc255bb@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290 run>"}
[ERROR] 2017-11-28 21:10:19.536 [[main]-pipeline-manager] pipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{CISCOTIMESTAMPTZ:log_date} not defined>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/jl
s-grok-0.11.4/lib/grok-pure.rb:123:in `block in compile'", "org/jruby/RubyKernel.java:1292:in `loop'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/jls-grok-0.11.4/lib/grok-pure.rb:93:in `compile'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-
grok-3.4.3/lib/logstash/filters/grok.rb:286:in `block in register'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-3.4.3/lib/logstash/filters/grok.rb:280:in `block in register'", "org/jruby/RubyHash.java:
1343:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-3.4.3/lib/logstash/filters/grok.rb:275:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:388:in `register_plugin'", "/usr/share/logstash/logstash-core/lib/log
stash/pipeline.rb:399:in `block in register_plugins'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:399:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:801:in `maybe_setup_out_plug
ins'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:409:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:333:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:293:in `block in start'"], :thread=>"#<Thread:0
x6dc255bb@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290 run>"}
[ERROR] 2017-11-28 21:10:19.547 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: Log
Stash::PipelineAction::Create/pipeline_id:main, action_result: false", :backtrace=>nil}`Preformatted text`

magnusbaeck · November 29, 2017, 7:26am

You're attempting to use a grok pattern, CISCOTIMESTAMPTZ, that Logstash doesn't know about. It doesn't appear to be a standard pattern bundled with Logstash.

adam.wendling · November 30, 2017, 6:55pm

Thank you. I found a character mismatch in the patterns file.

Umair_Suri · December 18, 2017, 9:03pm

How did you resolve this exactly, can you please explain. Thanks

adam.wendling · January 12, 2018, 6:59pm

My patterns file, that defines the CISCOTIMESTAMPTZ pattern, had a mistake in the file. I did not properly place brackets.

system · February 9, 2018, 6:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.