Simple logstash for syslog and apache error

Elastic Stack Logstash
1

hello,

im trying to get a logstash config file,
that can parse syslogs and apachelogs too,

the following conf shows up in a result:
Error: Expected one of #, => at line 37, column 17 (byte 722)

but i didnt changed the output,
it was always like this,
just added the

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }
}}

and suddenly i get the error,
nothing changed in the output,
how can be there errors now ?
pls help me

input {
lumberjack {
# The port to listen on
port => 5000

# The paths to your ssl cert and key
ssl_certificate => XXX"
ssl_key => "XXX"

    }

}
filter {

if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:syslog_message}" }
}

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }

}

else if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } }

}

if "_grokparsefailure" in [tags] {
mutate {
type => "syslog" }

}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug } }

2

There are two closing curly braces after the lines you just added; neither if [type] == "syslog" { nor filter { is closed before output { begins.

If you indent your configuration files better errors like this will be much easier to spot.

3

thanks

didnt saw it anymore

now it works
but how can i put the _grokparsefailures out of saving into ES?
now i got lines at my ES,
one with _grokparsefailure on the wrong side(syslog or apache) and one then with the right (syslog or apache)
if you understand my bad english :stuck_out_tongue:

4

If you want to avoid passing messages with _grokparsefailure to ES, there's an example of exactly this at the end of the following section in the documentation: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

1 Like