Winlogbeat to Logstash = Config file help required


(Juneid ) #1

Hi All,

I am trying to set up Logstash to receive Winlogbeat input with Logstash config file with conditional redirect of output to specific elasticsearch indexing. Getting Configuration error; complete details below =

Logstash Config File:

input{
    beats {
        port => 5044
        host => "0.0.0.0"
    }
}
output{
    if [winlogbeats][event_logs][tags] == "Security_Log" {
        output{
            elasticsearch {
                hosts => "localhost:9200"
                manage_template => false
                index => "SecLog-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
            }
        }
    }
    else if [winlogbeats][event_logs][tags] == "System_Log" {
        output{
            elasticsearch {
                hosts => "localhost:9200"
                manage_template => false
                index => "SysLog-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
            }
        }
    }
}

}

Winlogbeat Config:

winlogbeat.registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml
winlogbeat.event_logs:
  - name: Security
    ignore_older: 72h
    include_xml: true 
    level: critical, error, warning, information, verbose
    tags: ["Security_Log"]
  - name: System
    ignore_older: 72h
    include_xml: true 
    level: critical, error, warning, information, verbose
    tags: ["System_Log"]
#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
#================================ General =====================================

name: "WinLogsShipper:Sec&Sys"
tags: ["WInLogsShipper-Sec&Sys"]

#============================== Kibana =====================================

setup.kibana:

  host: "localhost:5601"

#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["localhost:5044"]

======

Error in cmd:

[2018-09-17T17:27:24,008][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:JK_System, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 30, column 27 (byte 857) after output{\n    if [winlogbeats][event_logs][tags] == \"Security_Log\" {\n        output{\n            elasticsearch ", :backtrace=>["D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:157:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[2018-09-17T17:27:24,010][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:JK_Security, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 30, column 27 (byte 857) after output{\n    if [winlogbeats][event_logs][tags] == \"Security_Log\" {\n        output{\n            elasticsearch ", :backtrace=>["D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:157:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "D:/ELK Stack/logstash-6.4.0/logstash-core/lib/logstash/agent.rb:309:in `block in converge_state'"]}
[2018-09-17T17:27:24,252][DEBUG][logstash.agent           ] Starting puma
[2018-09-17T17:27:24,276][DEBUG][logstash.agent           ] Trying to start WebServer {:port=>9600}
[2018-09-17T17:27:24,362][DEBUG][logstash.api.service     ] [api-service] start
[2018-09-17T17:27:24,728][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2018-09-17T17:27:26,626][WARN ][logstash.runner          ] SIGINT received. Shutting down.

Any help and guidance, redirect to simple explanatory documentation / external links much appreciated. Thanks in advance.
Regards,
Juneid.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.