Search code examples
logstashlogstash-configuration

LogStash message misconfiguration error: Failed to execute action

I am working with Logstash and the Kv plugin to parse and identify the fields of a log file which is generated by a Fortigate UTM device, however I cannot get it to work,

EDIT - I have since gotten the config to work, the code below works for Fortigate OS logs

#Begin Input
input {
  udp  {
    type => "syslogrrr"
    port => 514
 }
}
#End Input

#Begin Filter
filter {
#Begin If Statement
  if [type] == "syslogrrr" {
#Begin Grok
grok {
   match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
     }
#End Grok

#Begin KV Plugin
kv {
    source => "syslog_message"
    value_split => "="
   }
#End KV Plugin

#Begin Mutate
mutate {
  convert => {
    "sentbyte" => "integer"
    "craction" => "integer"
    "crscore" => "integer"
    "dstport" => "integer"
    "duration" => "integer"
    "eventtime" => "integer"
    "logid" => "integer"
    "policyid" => "integer"
    "proto" => "integer"
    "rcvdbyte" => "integer"
    "rcvdpkt" => "integer"
    "sentpkt" => "integer"
    "sessionid" => "integer"
    "srcport" => "integer"
        "transport" => "integer"
            }
   remove_field => [ "message","syslog_message","path","@version","_id","_index","_score","_type" ]
   add_field => ["logTimestamp", "%{date} %{time}"]
        }
#End Mutate

#Begin Date
date {
      locale => "en"
      match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
      remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
      timezone=> "America/Guyana"
    }
#End Date

  }
#End If Statement
}
#End Filter

#Begin Output
output {
  elasticsearch { hosts => ["localhost:9200"] 
  index => "logstash-%{+yyyy.MM.dd}-001"

  }
 }
#End Output

Hope this helps for anyone looking

Solution 
  • #Begin Input
input {
  udp  {
    type => "syslogrrr"
    port => 514
 }
}
#End Input

#Begin Filter
filter {
#Begin If Statement
  if [type] == "syslogrrr" {
#Begin Grok
grok {
   match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
     }
#End Grok

#Begin KV Plugin
kv {
    source => "syslog_message"
    value_split => "="
   }
#End KV Plugin

#Begin Mutate
mutate {
  convert => {
    "sentbyte" => "integer"
    "craction" => "integer"
    "crscore" => "integer"
    "dstport" => "integer"
    "duration" => "integer"
    "eventtime" => "integer"
    "logid" => "integer"
    "policyid" => "integer"
    "proto" => "integer"
    "rcvdbyte" => "integer"
    "rcvdpkt" => "integer"
    "sentpkt" => "integer"
    "sessionid" => "integer"
    "srcport" => "integer"
        "transport" => "integer"
            }
   remove_field => [ "message","syslog_message","path","@version","_id","_index","_score","_type" ]
   add_field => ["logTimestamp", "%{date} %{time}"]
        }
#End Mutate

#Begin Date
date {
      locale => "en"
      match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss"]
      remove_field => ["logTimestamp", "year", "month", "day", "time", "date"]
      timezone=> "America/Guyana"
    }
#End Date

  }
#End If Statement
}
#End Filter

#Begin Output
output {
  elasticsearch { hosts => ["localhost:9200"] 
  index => "logstash-%{+yyyy.MM.dd}-001"

  }
 }
#End Output