Logstash Custom Config filter (types)

thsul · November 15, 2021, 10:10am

Hi there,

we have some problems with logstash configurations which was working quite well under the logstash version from elastic directly.

if [type] == "syslog" {

        output {
          opensearch {
            hosts => ["https://opensearch-node1:9200", "https://opensearch-node2:9200"]
            index => "syslog-%{+YYYY.MM.dd}"
            ssl => true
            ssl_certificate_verification => false
            user => "xx"
            password => "xx"
          }
        }
}

With a logstash docker container (image opensearchproject/logstash-oss-with-opensearch-output-plugin:7.13.2) we got the following error:

logstash | [2021-11-15T10:07:20,566][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>“LogStash::ConfigurationError”, :message=>“Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 1, column 1 (byte 1)”, :backtrace=>[“/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize’”, “org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize’”, “/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in block in converge_state’”]}

Are there new “if” filter types or is there any replacement available? We face a similar problem with the type “beats”.

If the first and last line is commented, that logstash service is starting normally.

Regards

searchymcsearchface · November 15, 2021, 3:05pm

Nothing new/changed should have been introduced. That error message doesn’t look like it’s from the output plugin.

Are you migrating versions of Logstash?

thsul · November 15, 2021, 3:21pm

If i remove the filter (see quote) logstash is starting normally. So the problem is not the output, it is the filter.

shdubsh · November 16, 2021, 12:20am

The important part of the error message is:

Expected one of [ \t\r\n], “#”, “input”, “filter”, “output” at line 1, column 1 (byte 1)

In this case, an output block should be defined and everything else then goes inside it:

output {
  if [type] == "syslog" {
    opensearch { ... }
  }
}

thsul · November 16, 2021, 6:39am

Thats it. Thank you. For wthatever reason this was changed at our end…

Topic		Replies	Views
Logstash-oss with elasticsearch filter plugin connecting to opensearch General Feedback	5	1576	December 21, 2021
Logstash-OSS with Opensearch Plugin Failed to Execute Action OpenDistro	11	2167	December 22, 2021
Logstash OpenSearch Plugin Doc Instructions result in failure: logstash pipeline doesn't like colons OpenDistro	7	1308	January 6, 2022
Having problem forwarding logs from logstash to elasticsearch via SSL Open Source Elasticsearch and Kibana	1	374	February 7, 2023
Logstash exited with code 1 Open Source Elasticsearch and Kibana security-issue	8	3174	December 15, 2021

Logstash Custom Config filter (types)

Related Topics