Simple logstash for syslog and apache error


im trying to get a logstash config file,
that can parse syslogs and apachelogs too,

the following conf shows up in a result:
Error: Expected one of #, => at line 37, column 17 (byte 722)

but i didnt changed the output,
it was always like this,
just added the

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }

and suddenly i get the error,
nothing changed in the output,
how can be there errors now ?
pls help me

input {
lumberjack {
# The port to listen on
port => 5000

# The paths to your ssl cert and key
ssl_certificate => XXX"
ssl_key => "XXX"


filter {

if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:syslog_message}" }

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }


else if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } }


if "_grokparsefailure" in [tags] {
mutate {
type => "syslog" }

output {
elasticsearch { host => localhost }
stdout { codec => rubydebug } }

There are two closing curly braces after the lines you just added; neither if [type] == "syslog" { nor filter { is closed before output { begins.

If you indent your configuration files better errors like this will be much easier to spot.


didnt saw it anymore

now it works
but how can i put the _grokparsefailures out of saving into ES?
now i got lines at my ES,
one with _grokparsefailure on the wrong side(syslog or apache) and one then with the right (syslog or apache)
if you understand my bad english :stuck_out_tongue:

If you want to avoid passing messages with _grokparsefailure to ES, there's an example of exactly this at the end of the following section in the documentation:

1 Like