This is my logstash config file, after running it I got the below error
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} [%{WORD:text},%{NUMBER:num},%{IPV4:attack_src}]\s*[%{GREEDYDATA:username}][%{WORD:password}] -\s*%{GREEDYDATA:rest}" }
}
mutate {
gsub => ["rest", "'", '"']
gsub => ["rest", "False", "false"]
}
json {
source => "rest"
}
mutate {
remove_field => ["rest", "message"]
}
}
output {
elasticsearch {
host => ["localhost:9200"]
protocol => http
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
ERROR:
Trouble parsing json {:source=>"rest", :raw=>"CONNECTION_LOST", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'CONNECTION_LOST': was expecting ('true', 'false' or 'null')
at [Source: [B@1e93758; line: 1, column: 31]>, :level=>:warn}
Trouble parsing json {:source=>"rest", :raw=>"CONNECTION_LOST", :exception=>#<LogStash::Json::ParserError: Unrecognized token 'CONNECTION_LOST': was expecting ('true', 'false' or 'null')
at [Source: [B@a54131; line: 1, column: 31]>, :level=>:warn}