Auditbeat Errors - Do Not Pass Go Do Not Collect $200

Elastic Stack Beats
1

What's the rule on spacing? Below are two different spacing scenarios and the related errors for logstash as an output.

#----------------------------- Logstash output --------------------------------
# Zero space in front of "output.logstash:", 2 spaces in front of all #subsequent settings
> output.logstash:
>     enabled: true
>     hosts: ["x.x.x.x:1234"]
>     worker: 32
>     compression_level: 3
>     escape_html: true
>     pipelining: 5
>     max_retries: -1
>     bulk_max_size: 8192

Command
sudo auditbeat setup --template -E output.logstash.enabled=false

Error
Exiting: error loading config file: yaml: line 137: did not find expected key

#----------------------------- Logstash output --------------------------------
# 1 space in front of "output.logstash:", 3 spaces in front of all # #subsequent settings
>  output.logstash:
>      enabled: true
>      hosts: ["x.x.x.x:1234"]
>      worker: 32
>      compression_level: 3
>      escape_html: true
>      pipelining: 5
>      max_retries: -1
>      bulk_max_size: 8192

Command
sudo auditbeat setup --template -E output.logstash.enabled=false

Error
Exiting: error initializing publisher: No outputs are defined. Please define one under the output section.

2

It's yml so it should be 2 spaces.

But if you can reformat things using the </> (aka code) button, or use markdown style back ticks, then it'd really help :slight_smile:

3

To clarify - for Logstash output; should the first line that begins with "output.logstash:" have zero or 1 space in front of it?

4

Zero spaces before any "top level" blocks like logstash.output, and add 2 spaces for each additional nesting level.

The installed Auditbeat comes with a config file with good defaults (or check it out on GitHub) and some of the most commonly used options commented out. The convention for commented out sections is # (pound sign and no spaces following it). If you uncomment by always removing the pound sign without re-adding spaces, everything should be nested correctly.

So you're almost there. The following should do it:

output.logstash:
  enabled: true
  hosts: ["x.x.x.x:1234"]
  worker: 32
  compression_level: 3
  escape_html: true
  pipelining: 5
  max_retries: -1
  bulk_max_size: 8192
5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.