Beats error: No paths were defined for input accessing config

Hi everyone ,

I am currently trying to configure filebeat to retrieve logs from my palo alto firewall, I have configured and enable the panw modules:

- module: panw
  panos:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_host: 9001

And my filebeat.yml configuration:

filebeat.inputs:
- type: log
  id: my-filestream-id
  enabled: true
  paths:
   - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "172.16.10.62:5601"
output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "elastic"
  password: "ozPpuZ0=ypPMUHJLkobf"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "051670d7e5518a12a0d63ab9c84ce6bc2313371b9a5e6d55b0e4276804eedab2"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

And there is the error i got:

Apr 19 09:12:11 srv-elk filebeat[1363719]: {"log.level":"error","@timestamp":"2023-04-19T09:12:11.648Z","log.logger":"reload","log.origin":{"fi  le.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: failed to create input: No paths were defined for input accessing config","service.name":"filebeat","ecs.version":"1.6.0"}

I'm just starting with filebeat but if I understand correctly I don't need to set anything in filebeats.yml if i use a module right?

If anyone has an idea .. :smile:

It seems that he necessarily wants a path, as if he necessarily wants me to install filebeats on the firewall. Yet I saw that it was possible to install this module in this way.

I tried a similar configuration with the fortinet module and listening on the port activates well.

Any ideas ?

This can happen if you have enabled inputs or modules but not added paths.

Please run

`filebeat modules list

Also, is that the entire panw.yml

Also do you purposely have that filestream enabled

Thanks for the reply,
Here is the command, there is only this module activated:

root@srv-elk:/home/tml# filebeat modules list
Enabled:
panw

Disabled:
activemq
...

And yes i sent the whole file.
For the filebeat.inputs, I forgot it, I disabled it but nothing changes.
But i saw something in the panw.yml, there was this comment sentence above the var.input:

# Set which input to use between syslog (default) or file.

I thought that since I was using udp to send my logs, I need to set udp for the input but I guess no
So i set the input to syslog
My panw.yml:


- module: panw
  panos:
    enabled: true
    # Set which input to use between syslog (default) or file.
    var.input: syslog
    #var.paths: ["/var/log/pan-os.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.syslog_host: 0.0.0.0
    var.syslog_host: 9001

So i guess the original error is solved.
But now, i got an another error:

Apr 24 06:43:32 srv-elk filebeat[1407097]: {"log.level":"error","@timestamp":"2023-04-24T06:43:32.198Z","log.logger":"syslog","log.origin":"file.name":"syslog/input.go","file.line":151},"message":"Error starting the servererrorlisten udp 0.0.35.41:9001: bind: cannot assign requested address","service.name":"filebeat","ecs.version":"1.6.0"}

I just realized that I put 2 times var.syslog_host, instead of port...
Now listening goes without any errors.

So the original error was because of the input type.

My final panw.yml:

type or paste code here- module: panw
  panos:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: syslog
    #var.paths: ["/var/log/pan-os.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001

    # Set internal security zones. used to determine network.direction
    # default "trust"
    #var.internal_zones:

    # Set external security zones. used to determine network.direction
    # default "untrust"
    #var.external_zones:

All this could have been avoided if I had opened my eyes properly. :face_with_peeking_eye:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.