LogStash Json ParserError

Question

LogStash Json ParserError

0

Eu preciso enviar um log com o formato JSON de rsyslog para logsatsh e, em seguida, de logstash para graylog .

Todos os passos que fiz.

etapa 1: config /etc/rsyslog.conf

*.*  action(type="omfwd" target="192.168.163.41" port="514" protocol="udp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000" template="json-template")

etapa 2: defina o modelo json

template(name="json-template" type="list" option.json="on") {
  constant(value="{")
  constant(value="\"timestamp\":\"")
  property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"message\":\"")
  property(name="msg")
  constant(value="\",\"host\":\"")
  property(name="hostname")
  constant(value="\",\"severity\":\"")
  property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"")
  property(name="syslogfacility-text")
  constant(value="\",\"syslog-tag\":\"")
  property(name="syslogtag")
  constant(value="\"}\n")
}

etapa 3: instalar o logstash 6.3.2. e config este arquivo. logstash config:

input {
  udp {
    host => "192.168.163.41"
    port => 10514
    codec => "json"
    tags => "rsyslog"
    }
}

filter { }

output {
 if "rsyslog" in [tags] {
     gelf {
         host => "192.168.163.163"
         sender => "192.168.163.41"
       }
     }
}

passo 4: envio json para cheque.

logger ddddddddddddddddd

etapa 5: Eu recebo este erro:

Sep  9 11:37:02 logread logstash: [2018-09-09T11:37:02,988][ERROR][logstash.codecs.json     ] JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Unexpected character ('t' (code 116)): was expecting comma to separate Object entries
Sep  9 11:37:02 logread logstash: at [Source: (String)"{"@timestamp":"2018-09-09T11:37:02.971589-04:00","@version":"1","message":"\"2018-09-09T11:37:02.972094-04:00\",\"message\":\"ddddddddddddddddd\",\"host\":\"kafka1\",\"severity\":\"notice\",\"facility\":\"user\",\"syslog-tag\":\"root:\"}","sysloghost":"192.168.163.37","severity":"notice","facility":"user","programname":"{"timestamp"","procid":"-"}
Sep  9 11:37:02 logread logstash: "; line: 1, column: 326]>, :data=>"{\"@timestamp\":\"2018-09-09T11:37:02.971589-04:00\",\"@version\":\"1\",\"message\":\"\\"2018-09-09T11:37:02.972094-04:00\\",\\"message\\":\\"ddddddddddddddddd\\",\\"host\\":\\"kafka1\\",\\"severity\\":\\"notice\\",\\"facility\\":\\"user\\",\\"syslog-tag\\":\\"root:\\"}\",\"sysloghost\":\"192.168.163.37\",\"severity\":\"notice\",\"facility\":\"user\",\"programname\":\"{\"timestamp\"\",\"procid\":\"-\"}\n"}

logs rsyslog json logstash rsyslogd

por pyramid13 09.09.2018 / 20:24

0 respostas

Tags logs rsyslog json logstash rsyslogd

Como endereçar mensagens de erro ao usar o recurso “constraints from” do openntpd? Existe uma maneira de registrar o IP para uploads FTP no Redhat?