EDIT: Solved - had to escape " in CMD=\"%{DATA:Command}\
I'm trying to start logstash with a new config and it just fails.
This is the line I'm trying to add:
match => { "message" => "\A%{SYSLOGTIMESTAMP:sys_timestamp} %{NOTSPACE:Hostname} %{USER:Logged}: USER=%{USER:User} PWD=%{UNIXPATH:Directory} PID=\[%{INT:PID}] CMD="%{DATA:Command}" Exit=\[%{INT:Exit}\] CONNECTION=%{GREEDYDATA:Connection}"
}
This is the error I get:
[2020-08-30T11:08:48,641][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 OpenJDK 64-Bit Server VM 25.262-b10 on 1.8.0_262-b10 +indy +jit [linux-x86_64]"}
[2020-08-30T11:08:49,334][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-08-30T11:08:52,021][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" at line 35, column 165 (byte 1211) after filter {\nmutate {\n add_tag => [ \"insidefilter\" ]\n }\nif [log][file][path] =~ \"mongos.log\"{\ngrok { match => { \"message\" => \"\\A%{TIMESTAMP_ISO8601} I ACCESS %{NOTSPACE} SCRAM-SHA-1 authentication failed for %{USER:User} on %{USER:DB} from client %{SYSLOGHOST:From}:%{INT:Port} ; %{GREEDYDATA:Reason}\"\n}\n}\nmutate { add_tag => [ \"mongosIfStatement\" ] }\n}\nif [log][file][path] =~ \"mysql.*\\.log$\" {\ngrok { match => { \"message\" => \"%{TIMESTAMP_ISO8601:Date} %{INT:Number} \\[Note] Access denied for user '%{USER:User}'@'%{SYSLOGHOST:IP}' \\(using password: %{WORD:Password}%{GREEDYDATA}\"\n}\n}\nmutate { add_tag => [ \"mysqldIfStatement\" ] }\n} \nif [log][file][path] =~ /\\.json$/ {\n json {\n source => \"message\"\n }\n }\nif [log][file][path] =~ \"commands.log\" {\ngrok{\nmatch => { \"message\" => \"\\A%{SYSLOGTIMESTAMP:sys_timestamp} %{NOTSPACE:Hostname} %{USER:Logged}: USER=%{USER:User} PWD=%{UNIXPATH:Directory} PID=\\[%{INT:PID}] CMD=\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:183:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:44:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:357:in `block in converge_state'"]}
[2020-08-30T11:08:52,382][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-08-30T11:08:57,271][INFO ][logstash.runner ] Logstash shut down.
[2020-08-30T11:08:57,296][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
This is the full config file. If I comment out this line it works. (It's line 35-36)
What did I do wrong? What does it not like? Huge thanks ahead!