Unexpected character '<'

colix · February 28, 2019, 3:00pm

Hi, i sent json log to logstash.

Logstash config:

input {
udp {
port => 5001
codec => "json"
}
}

filter {
     json {
     source => "message"
}
}

output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "elasticsearch:9200" ]
}
}
}

But log on logstash container deliver with bad prefix - <190>1 and etc.

I can't parse json log.

How i can remove this prefix?

   2019-02-28T14:48:05.337654192Z [2019-02-28T14:48:05,337][ERROR][logstash.codecs.json     ] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
    2019-02-28T14:48:05.337685673Z  at [Source: (String)"<190>1 2019-02-28T17:47:58+03:00 rnis-fpo-t1sync-2 php-t1sync 1021 - - {"message":"Register service [com.rnis.t1sync] with subjects","context":[["com.rnis.t1sync.action.history","com.rnis.t1sync.action.mileage","com.rnis.t1sync.action.odometr","com.rnis.t1sync.action.motohours","com.rnis.t1sync.action.odometr.multiple","com.rnis.t1sync.action.history.multiple","com.rnis.t1sync.action.device.find","com.rnis.t1sync.action.device.score","com.rnis.t1sync.action.device.tachograph","com.rnis.t1sync.ac"[truncated 403 chars]; line: 1, column: 2]>, :data=>"<190>1 2019-02-28T17:47:58+03:00 rnis-fpo-t1sync-2 php-t1sync 1021 - - {\"message\":\"Register service [com.rnis.t1sync] with subjects\",\"context\":[[\"com.rnis.t1sync.action.history\",\"com.rnis.t1sync.action.mileage\",\"com.rnis.t1sync.action.odometr\",\"com.rnis.t1sync.action.motohours\",\"com.rnis.t1sync.action.odometr.multiple\",\"com.rnis.t1sync.action.history.multiple\",\"com.rnis.t1sync.action.device.find\",\"com.rnis.t1sync.action.device.score\",\"com.rnis.t1sync.action.device.tachograph\",\"com.rnis.t1sync.action.extended_data\",\"com.rnis.t1sync.action.device.arhived_telematics\",\"com.rnis.system.event.status.collect\"]],\"level\":200,\"level_name\":\"INFO\",\"channel\":\"lumen\",\"datetime\":{\"date\":\"2019-02-28 17:47:58.960518\",\"timezone_type\":3,\"timezone\":\"Europe/Moscow\"},\"extra\":[],\"timestamp\":\"2019-02-28T17:47:58.960518+0300\",\"service\":\"t1sync\",\"env\":\"production\",\"hostname\":\"rnis-fpo-t1sync-2\",\"ip\":\"10.42.88.188\"}\n"

Badger · February 28, 2019, 3:23pm

You should not have both a json codec and a json filter. In this case you need to use a json filter.

    dissect { mapping => { "message" => "<%{pri}>%{item1} %{ts} %{hostname} %{item2} %{item3} - - %{restOfLine}" } }
    json { source => "restOfLine" }

colix · February 28, 2019, 8:00pm

Even if i don't use json filter i have bad prefix

system · March 28, 2019, 8:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.