Using Logstash to get Postfix Logs

(Matheus Ribeiro Garcia) #1

Hello everyone, i've been trying to use Logstash to parse data of Post Fix Logs, but I've had several problems with Docker Containers in this proccess. Now it seems like my containers are up, but i'm still getting some error that might be related to my config files.

I have my config files separeted on a paste called config:
Input:

input {
  file {
    type => "postfix"
    path => ["/data/mail.log"]
    start_position => "beginning"
  }
}

filter-postfix:

filter {
  if [type] == "postfix" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} %{SYSLOGPROG}"}
    }
  }
}

Two other filters that are too big to put here, and finally:

an output:

output {
  elasticsearch {
    host => "myhost.com.br:9201"
    index => "index-name"
  }
}

Running my container I get this error:

[ERROR] 2019-04-18 01:57:53.624 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 286, column 1 (byte 11195) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[INFO ] 2019-04-18 01:57:55.147 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
(Staale) #2

How do you expect anyone to help you when you don't post your config? The error says line 286 in your config. And since you didn't bother posting anything of that config....

(Matheus Ribeiro Garcia) #3

I understand, but I didn't post it here because elastic forums do not allow big posts, I"ll upload it at git

(Staale) #4

But verify the containers by using just the config you have posted. A simple input with a simple output. Then at least you'll get a confirmation that the container works as intended. Then slowly build the config while testing.

(system) closed #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.