Narendra Rajcoomar
Reputation: 33
LogStash message misconfiguration error: Failed to execute action
I am working with Logstash and the Kv plugin to parse and identify the fields of a log file which is generated by a Fortigate UTM device, however I cannot get it to work,
EDIT - I have since gotten the config to work, the code below works for Fortigate OS logs
#Begin Input
input {
udp {
type => "syslogrrr"
port => 514
}
}
#End Input
#Begin Filter
filter {
#Begin If Statement
if [type] == "syslogrrr" {
#Begin Grok
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
}
#End Grok
#Begin KV Plugin
kv {
source => "syslog_message"
value_split => "="
}
#End KV Plugin
#Begin Mutate
mutate {
convert => {
"sentbyte" => "integer"
"craction" => "integer"
"crscore" => "integer"
"dstport" => "integer"
"duration" => "integer"
"eventtime" => "integer"
"logid" => "integer"
"policyid" => "integer"
"proto" => "integer"
"rcvdbyte" => "integer"
"rcvdpkt" => "integer"
"sentpkt" => "integer"
"sessionid" => "integer"
"srcport" => "integer"
"transport" => "integer"
}
remove_field => [ "message","syslog_message","path","@version","_id","_index","_score","_type" ]
add_field => ["logTimestamp", "%{date} %{time}"]
}
#End Mutate
#Begin Date
date {
locale => "en"
match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
timezone=> "America/Guyana"
}
#End Date
}
#End If Statement
}
#End Filter
#Begin Output
output {
elasticsearch { hosts => ["localhost:9200"]
index => "logstash-%{+yyyy.MM.dd}-001"
}
}
#End Output
Hope this helps for anyone looking
Upvotes: 0
Views: 98
Answers (2)
Narendra Rajcoomar
Reputation: 33
#Begin Input
input {
udp {
type => "syslogrrr"
port => 514
}
}
#End Input
#Begin Filter
filter {
#Begin If Statement
if [type] == "syslogrrr" {
#Begin Grok
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
}
#End Grok
#Begin KV Plugin
kv {
source => "syslog_message"
value_split => "="
}
#End KV Plugin
#Begin Mutate
mutate {
convert => {
"sentbyte" => "integer"
"craction" => "integer"
"crscore" => "integer"
"dstport" => "integer"
"duration" => "integer"
"eventtime" => "integer"
"logid" => "integer"
"policyid" => "integer"
"proto" => "integer"
"rcvdbyte" => "integer"
"rcvdpkt" => "integer"
"sentpkt" => "integer"
"sessionid" => "integer"
"srcport" => "integer"
"transport" => "integer"
}
remove_field => [ "message","syslog_message","path","@version","_id","_index","_score","_type" ]
add_field => ["logTimestamp", "%{date} %{time}"]
}
#End Mutate
#Begin Date
date {
locale => "en"
match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
timezone=> "America/Guyana"
}
#End Date
}
#End If Statement
}
#End Filter
#Begin Output
output {
elasticsearch { hosts => ["localhost:9200"]
index => "logstash-%{+yyyy.MM.dd}-001"
}
}
#End Output
Upvotes: 0
Bloomstar
Reputation: 155
filter {
kv {
source => "message"
exclude_keys => [ "type", "subtype" ] }
geoip { source => "dst" }
geoip { source => "dstip" }
geoip { source => "src" }
geoip { source => "srcip" }
mutate {
rename => [ "dst", "dst_ip" ]
rename => [ "dstip", "dst_ip" ]
rename => [ "dstport", "dst_port" ]
rename => [ "devname", "device_id" ]
rename => [ "status", "action" ]
rename => [ "src", "src_ip" ]
rename => [ "srcip", "src_ip" ]
rename => [ "zone", "src_intf" ]
rename => [ "srcintf", "src_intf" ]
rename => [ "srcport", "src_port" ]
rename => [ "rcvd", "byte_recieved" ]
rename => [ "rcvdbyte", "bytes_recieved" ]
rename => [ "sentbyte", "bytes_sent" ]
rename => [ "sent", "bytes_sent" ]
convert => ["bytes_recieved", "integer"]
convert => ["bytes_sent", "integer"]
remove_field => [ "msg" ]
}
}
This filter works fine. I think you have added 3 extra close brackets.
Upvotes: 3
Related Questions
- Logstash got exception in running
- How can logstash be executed? (error occured)
- How can i resolve a problem with Logstash?
- Logstash expected one of #
- Logstash configtest
- I cannot start logstash on my machine. Error message inside
- Logstash Error - No config files found: logstash.conf. Can you make sure this path is a logstash config file?
- No config files found in Logstash 1.4
- Error in logstash configuration file
- Logstash server configuration issues