Hi All,
I am trying to set up Logstash to receive Winlogbeat input with Logstash config file with conditional redirect of output to specific elasticsearch indexing. Getting Configuration error; complete details below =
Logstash Config File:
input{
beats {
port => 5044
host => "0.0.0.0"
}
}
output{
if [winlogbeats][event_logs][tags] == "Security_Log" {
output{
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "SecLog-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
else if [winlogbeats][event_logs][tags] == "System_Log" {
output{
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "SysLog-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
}
}
Winlogbeat Config:
winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
winlogbeat.event_logs:
- name: Security
ignore_older: 72h
include_xml: true
level: critical, error, warning, information, verbose
tags: ["Security_Log"]
- name: System
ignore_older: 72h
include_xml: true
level: critical, error, warning, information, verbose
tags: ["System_Log"]
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#================================ General =====================================
name: "WinLogsShipper:Sec&Sys"
tags: ["WInLogsShipper-Sec&Sys"]
#============================== Kibana =====================================
setup.kibana:
host: "localhost:5601"
#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["localhost:5044"]
======
Error in cmd:
[2018-09-17T17:27:24,008][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:JK_System, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 30, column 27 (byte 857) after output{\n if [winlogbeats][event_logs][tags] == \"Security_Log\" {\n output{\n elasticsearch ", :backtrace=>["D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:157:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[2018-09-17T17:27:24,010][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:JK_Security, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 30, column 27 (byte 857) after output{\n if [winlogbeats][event_logs][tags] == \"Security_Log\" {\n output{\n elasticsearch ", :backtrace=>["D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:157:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[2018-09-17T17:27:24,252][DEBUG][logstash.agent ] Starting puma
[2018-09-17T17:27:24,276][DEBUG][logstash.agent ] Trying to start WebServer {:port=>9600}
[2018-09-17T17:27:24,362][DEBUG][logstash.api.service ] [api-service] start
[2018-09-17T17:27:24,728][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-09-17T17:27:26,626][WARN ][logstash.runner ] SIGINT received. Shutting down.
Any help and guidance, redirect to simple explanatory documentation / external links much appreciated. Thanks in advance.
Regards,
Juneid.