Read log from local file

Vigneshprasanna · January 30, 2018, 1:41pm

Im trying to read logs from a local folder in my system. I get the following error

D:\Personal\logstash-6.1.2\bin>logstash.bat -f ..\config\logstash.confSending Logstash's logs to D:/Personal/logstash-6.1.2/logs which is now configured via log4j2.properties
[2018-01-30T18:28:39,944][INFO ][logstash.modules.scaffold] Initializing module{:module_name=>"fb_apache", :directory=>"D:/Personal/logstash-6.1.2/modules/fb_apache/configuration"}
[2018-01-30T18:28:39,975][INFO ][logstash.modules.scaffold] Initializing module{:module_name=>"netflow", :directory=>"D:/Personal/logstash-6.1.2/modules/netflow/configuration"}
[2018-01-30T18:28:40,427][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-01-30T18:28:41,285][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.1.2"}
[2018-01-30T18:28:42,006][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-01-30T18:28:42,399][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 8, column
8 (byte 101) after input {\n file {\n path => "D:/Personal/Test_log_files"\n type => "file"\n }\n\n filter {\n grok ", :backtrace=>["D:/Personal/
logstash-6.1.2/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/compiler.rb:50:incom
pile_graph'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'",
"D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/pipeline.rb:171:in initialize'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/ pipeline_action/create.rb:40:inexecute'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/agent.rb:335:in block in converge_state'", "D:/Personal/ logstash-6.1.2/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/agent.rb:332:in block in converge_state'", "org/jruby/RubyArray.java:1734:ineach'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/agent.rb:319:in converge_state'", "D:/Personal /logstash-6.1.2/logstash-core/lib/logstash/agent.rb:166:inblock in converge_state_and_update'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/agent.r
b:141:in with_pipelines'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "D:/Personal/logstash-6.1.2/
logstash-core/lib/logstash/agent.rb:90:in execute'", "D:/Personal/logstash-6.1.2/logstash-core/lib/logstash/runner.rb:343:inblock in execute'", "D:/Personal/
logstash-6.1.2/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

the conf file im using is

input {
file {
path => "D:/Personal/Test_log_files"
type => "file"
}
}
filter {
grok {
match => [
"message",
"%{TIME:time} %{LOGLEVEL:level} [(?[^]]+)] ((?[^)]+)) %{GREEDYDATA:message}"
]
overwrite => ["message"]
}
date {
match => ["time", "MMM dd YYYY HH:mm:ss,SSS"]
remove_field => ["time"]
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

can someone help me in understanding this

magnusbaeck · January 30, 2018, 2:12pm

I suspect you have some kind of garbage (i.e. a non-printable character) after "grok" (or thereabouts). The configuration looks fine and when I copy/paste it to a local fine it passes the syntax check.

system · February 27, 2018, 2:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.