CODEWITHSUNDEEP
rubyelasticsearchlogstashelastic-stack
Penguen
Penguen

Reputation: 17278

How to add a ruby code inside of the logstash config file?

I try to send logs to windows event by using logstash. After added some ruby code;it is created below error.How can I send logs to windoes event?


input {
  file {
    type => "json"
    path => ["C:/Temp/logs/*.json"]
    start_position => "beginning"
    codec => "json"
    discover_interval => 120
    stat_interval => 60
    sincedb_write_interval => 60
    close_older => 60
  }
}
filter {
mutate {
    remove_field => [ "path" ] 

}
   ruby {
      code => "
           require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
        "
        }
   }
}
output {
    stdout {
        codec => rubydebug
    }



    elasticsearch {
       hosts => ["http://loguser:[email protected]:333"]
       index => "logstash-%{+YYYY.MM}"
    }
}

Error:


[2018-03-20T09:51:28,629][ERROR][logstash.agent           ] Cannot create pipeline {:reason=>"Expected one of #, {, } at line 23, column 75 (byte 464) after filter {\nmutate {\n    remove_field => [ \"path\" ] \n\n}\n   ruby {\n     init => \" require 'win32/eventlog' \n\t \"\n     code => \"\n      logger = Win32::EventLog.new\n      logger.report_event(:event_type => Win32::EventLog::INFO, :data => \""}

Upvotes: 0

Views: 3342

Answers (1)

jdno
jdno

Reputation: 4364

As you can tell from the syntax highlighting in your question, there is an issue with the double quotes you are using. Pay close attention to the black letters in the code block:

"
require 'win32/eventlog'
logger = Win32::EventLog.new
logger.report_event(:event_type => Win32::EventLog::INFO, :data => "a test event log entry")
"

You are wrapping the code block in double quotes, but are also using them to define the string in the event: "a test event log entry". The first quote for the string ends the code block, and LogStash reports a syntax error, because it expected you to close the instruction with a }.

You can also see this in the error message, where it reports the value as the data attribute as a single double quote: :data => \".

Try wrapping the string in single quotes: 'a test event log entry' to fix this issue.

Upvotes: 2

Related Questions