I have a ELK stack in my server, in other pc i have filebeat listening for Checkpoint syslogs. I know i have to write the filters in a .conf file. This is mine :
filter{
if "checkpoint-firewall" in [tags] {
grok {
match => [
"message" => "<%{POSINT:priority}>%{MONTH:mes}%{SPACE}%{MONTHDAY:dia}%{SPACE}%{HOUR:hora}:%{MINUTE:minuto}:%{SECOND:segundo}?%{ISO8601_TIMEZONE:zona_horaria}?%{SPACE}%{IP:host}{SPACE}%{WORD:}"
]
}
kv {
source => "raw_message"
value_split => '=\"'
allow_duplicate_values => true
}
}
}
But Logstash complains and dont recieve the Logs, what am i doing bad?
EDIT, I found The Log:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"{\", \",\", \"]\" at line 16, column 19 (byte 284) after filter{\n \n if \"checkpoint-firewall\" in [tags] {\n grok {\n match => [\n \"message\" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.