So I have the following logstash filter config file.
filter {
if [type] == "syslog" and [message] =~ "diskstation" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{INT:version} %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname} %{DATA:syslog_program} - - (?:\[meta sequenceId="%{POSINT:message_id}"])? %{GREEDYDATA:syslog_message}" }
}
} else if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
}
Using the Grok Debugger the filters work fine, but when starting logstash I get the following error:
Jun 03 11:49:38 nuc logstash[27352]: Error: Expected one of #, {, } at line 16, column 170 (byte 348) after filter {
Jun 03 11:49:38 nuc logstash[27352]: if [type] == "syslog" and [message] =~ "ds02" {
Jun 03 11:49:38 nuc logstash[27352]: grok {
Jun 03 11:49:38 nuc logstash[27352]: match => { "message" => "<%{POSINT:syslog_pri}>%{INT:version} %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:hostname} %{DATA:syslog_program} - - (?:\[meta sequenceId="
Jun 03 11:49:38 nuc logstash[27352]: You may be interested in the '--configtest' flag which you can
Jun 03 11:49:38 nuc logstash[27352]: use to validate logstash's configuration before you choose
Jun 03 11:49:38 nuc logstash[27352]: to restart a running system.
I cant for the life of me figure out what the syntax error is. Could anyone point me in the right direction?
