[SOLVED]Logstash configuration problem identification

Elastic Stack Logstash
1

Hello .
I cannot figure out the problem in this configuration I have created:

I get error:

[2018-08-30T17:43:41,301][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:cybercrime_tracker, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 30, column 19 (byte 1002) after filter {\n split {\n field => "[message]"\n }\n if ([message] =~ /^#/) {\n drop{}\n }\n else {\n grok {\n match => { "message" => "^%{URI:url}" }\n }\n }\n\n\noutput {\n elasticsearch ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2486:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:157:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:309:in block in converge_state'"]}

My pipeline config:

cat pipelines.yml | grep cybercrime_tracker -A 3

  • pipeline.id: cybercrime_tracker
    path.config: "/etc/logstash/conf.d/cybercrime.conf"
    pipeline.workers: 16

My cybercrime.conf

input {
http_poller {
urls => {
cybercrime_tracker_all => "http://cybercrime-tracker.net/all.php"
}
request_timeout => 30
tags => ["cybercrime", "url"]
codec => "line"
validate_after_inactivity => 200
schedule => { cron => "*/50 * * * *" }
metadata_target => "metadata"
}
}

filter {
split {
field => "[message]"
}
if ([message] =~ /^#/) {
drop{}
}
else {
grok {
match => { "message" => "^%{URI:url}" }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "blocks"
document_type => "default"
}
}

File content looks like:
futoimtelibrary.com/Godfirst/panelnew/admin.php
www.emeka.igg.biz/ems/admin.php
lydiasimoncreative.com/.css/cp.php?m=login

terriblekira.su/uk/
veraceforneria.com/test/home/sjdhf/server/cp.php?m=login
viewtoconfirm.com/marchit/Panel/admin.php
www.ecostore.co.il/shell/123.php
hoiyhead.co.uk/images/php/suz/admin.php
hoiyhead.co.uk/images/php/suz1/admin.php
hoiyhead.co.uk/images/php/suz2/admin.php
hoiyhead.co.uk/images/php/suz3/admin.php
hoiyhead.co.uk/images/php/suz4/admin.php
hoiyhead.co.uk/images/php/edd/admin.php
hoiyhead.co.uk/images/php/eno/admin.php
hoiyhead.co.uk/images/php/law/admin.php
hoiyhead.co.uk/images/php/maza/admin.php
hoiyhead.co.uk/images/php/oge/admin.php

What is the problem? Thanks for suggestions.

2

Missed } in the filter plugin.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.