Simple logstash for syslog and apache error


(Lukas Meier) #1

hello,

im trying to get a logstash config file,
that can parse syslogs and apachelogs too,

the following conf shows up in a result:
Error: Expected one of #, => at line 37, column 17 (byte 722)

but i didnt changed the output,
it was always like this,
just added the

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }
}}

and suddenly i get the error,
nothing changed in the output,
how can be there errors now ?
pls help me

input {
lumberjack {
# The port to listen on
port => 5000

# The paths to your ssl cert and key
ssl_certificate => XXX"
ssl_key => "XXX"

    }

}
filter {

if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:syslog_message}" }
}

if "_grokparsefailure" in [tags] {
mutate {
type => "apache" }

}

else if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } }

}

if "_grokparsefailure" in [tags] {
mutate {
type => "syslog" }

}
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug } }


(Magnus Bäck) #2

There are two closing curly braces after the lines you just added; neither if [type] == "syslog" { nor filter { is closed before output { begins.

If you indent your configuration files better errors like this will be much easier to spot.


(Lukas Meier) #3

thanks

didnt saw it anymore

now it works
but how can i put the _grokparsefailures out of saving into ES?
now i got lines at my ES,
one with _grokparsefailure on the wrong side(syslog or apache) and one then with the right (syslog or apache)
if you understand my bad english :stuck_out_tongue:


(Magnus Bäck) #4

If you want to avoid passing messages with _grokparsefailure to ES, there's an example of exactly this at the end of the following section in the documentation: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals


(system) #5