Linked Questions

Popular Questions

JSON Parse errors in Logstash - Solved

Asked by At

When attempting to parse JSON data with Logstash, it seems to fail the parse and my JSON doesn't get sent to ES as expected. Any suggestions would be great. Attempting to log failed Wordpress logins, but having no luck with the parsing of the JSON.

Currently using Logstash 6.4.2 on FreeBSD 11.

Example log file. File has nothing else but this data.

{
"username": "billy",
"password": "gfdgdfdfg4",
"time": "2019-02-03 00:39:11",
"agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko\/20100101 Firefox\/62.0",
"ip": "11.11.11.11"
}

Template

{
  "index_patterns": ["wpbadlogin*"],
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas" : 0,
      "index.refresh_interval": "60s"
    },
    "mappings": {
      "_default_": {
        "properties": {
          "host": {
            "type": "text"
          },
          "username": {
            "type": "text"
          },
          "password": {
            "type": "text"
          },
          "agent": {
            "type": "text"
          },
          "ip": {
            "type": "ip"
          }
        },
        "_all": {
          "enabled": false
        }
      }
    }
}

Logstash config

input {

    file {
        type => "json"
        codec => "json"
        sincedb_path => "/dev/null"
        path => "/var/log/lighttpd/badlogin.txt"
        start_position => "beginning"#
        tags => ["wpbadlogin"]
    }
}

#filter { }

output {

    stdout {
        codec => rubydebug
    }

    elasticsearch {

        hosts => ["10.0.5.30:9200"]
        template => "/usr/local/etc/logstash/templates/wpbadlogin.json"
        template_name => "wpbadlogin"
        template_overwrite => true
        index => "wpbadlogin"
    }
}

Error: https://pastebin.com/raw/KWEYGkLn

Related Questions