This is the message i'm getting in the logstash log.
JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
at [Source: (String)
I'm not sure where to tackle that error. I'm groking out a windows event ID 4688 which is brought to Logstash via rsyslog. Other and most 4688 events parse just fine. If I take the log event and put it into the Grok debugger with the pattern - it matches just fine.
The issue is not grok matching a pttern, it is a json codec or filter being unable to parse the message. Which are you using (codec or filter) and what are the contents of the message field when you get this error?
My input is:
codec => json { charset => "ISO-8859-1" }
From there I run the filter and first see if tags match - like matching a "windows" tag - it further matches on the event ID - like 4688. From there if Mandatory exists in the Message then do x, if not, do y.
in this particular situation, it puts the entire log event into the message field - like this.
JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries
at [Source: (String)"{"@timestamp":"2019-09-04T14:13:51-04:00","@version":"1","message":" Sep 04 14:13:51 2019#0114688#011Microsoft-Windows-Security-Auditing#011-\-#011N/A#011Success Audit#011My.FQ.DN#011Process Creation#011#011A new process has been created.
Other event 4688's are just fine. Although I just noticed that the error message differs somewhat between the ones that not happy.
Unexpected end-of-input in field name
or
Unexpected end-of-input within/between Object entries
The data that the input received is not JSON, so a json codec will not be able to parse it. How are you sending events to logstash? Are they really JSON?
yeah - well sort of, rsyslog converts it as it sends to logstash. We're talking a couple thousand errors out of about 42 million - it's a distinct minority but one i'm still wanting to solve.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.