Using Logstash to get Postfix Logs

matheusribeirogarcia · April 18, 2019, 1:59am

Hello everyone, i've been trying to use Logstash to parse data of Post Fix Logs, but I've had several problems with Docker Containers in this proccess. Now it seems like my containers are up, but i'm still getting some error that might be related to my config files.

I have my config files separeted on a paste called config:
Input:

input {
  file {
    type => "postfix"
    path => ["/data/mail.log"]
    start_position => "beginning"
  }
}

filter-postfix:

filter {
  if [type] == "postfix" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:host} %{SYSLOGPROG}"}
    }
  }
}

Two other filters that are too big to put here, and finally:

an output:

output {
  elasticsearch {
    host => "myhost.com.br:9201"
    index => "index-name"
  }
}

Running my container I get this error:

[ERROR] 2019-04-18 01:57:53.624 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 286, column 1 (byte 11195) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[INFO ] 2019-04-18 01:57:55.147 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}

staodd · April 18, 2019, 2:31am

How do you expect anyone to help you when you don't post your config? The error says line 286 in your config. And since you didn't bother posting anything of that config....

matheusribeirogarcia · April 18, 2019, 2:44am

I understand, but I didn't post it here because elastic forums do not allow big posts, I"ll upload it at git

staodd · April 18, 2019, 8:50am

But verify the containers by using just the config you have posted. A simple input with a simple output. Then at least you'll get a confirmation that the container works as intended. Then slowly build the config while testing.

system · May 16, 2019, 8:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[ERROR][logstash.agent] "Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 1, column 1 (byte 1)" Logstash docker	2	1181	May 5, 2021
Can you help me with Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError" problem? Logstash	3	601	August 15, 2019
Problem with docker-compose and logstash Logstash	9	2180	April 9, 2020
Logstash configuration - comment breaks the logstash configuration Logstash	4	377	June 10, 2019
Syntax error with filter Logstash	4	393	August 22, 2019

Using Logstash to get Postfix Logs

Related topics