Beats error: No paths were defined for input accessing config

Elastic Stack Beats
,
1

Hi everyone ,

I am currently trying to configure filebeat to retrieve logs from my palo alto firewall, I have configured and enable the panw modules:

- module: panw
  panos:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_host: 9001

And my filebeat.yml configuration:

filebeat.inputs:
- type: log
  id: my-filestream-id
  enabled: true
  paths:
   - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "172.16.10.62:5601"
output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "elastic"
  password: "ozPpuZ0=ypPMUHJLkobf"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "051670d7e5518a12a0d63ab9c84ce6bc2313371b9a5e6d55b0e4276804eedab2"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

And there is the error i got:

Apr 19 09:12:11 srv-elk filebeat[1363719]: {"log.level":"error","@timestamp":"2023-04-19T09:12:11.648Z","log.logger":"reload","log.origin":{"fi  le.name":"cfgfile/list.go","file.line":109},"message":"Error creating runner from config: failed to create input: No paths were defined for input accessing config","service.name":"filebeat","ecs.version":"1.6.0"}

I'm just starting with filebeat but if I understand correctly I don't need to set anything in filebeats.yml if i use a module right?

If anyone has an idea .. :smile:

2

It seems that he necessarily wants a path, as if he necessarily wants me to install filebeats on the firewall. Yet I saw that it was possible to install this module in this way.

I tried a similar configuration with the fortinet module and listening on the port activates well.

Any ideas ?

3

This can happen if you have enabled inputs or modules but not added paths.

Please run

`filebeat modules list

Also, is that the entire panw.yml

Also do you purposely have that filestream enabled

4

Thanks for the reply,
Here is the command, there is only this module activated:

root@srv-elk:/home/tml# filebeat modules list
Enabled:
panw

Disabled:
activemq
...

And yes i sent the whole file.
For the filebeat.inputs, I forgot it, I disabled it but nothing changes.
But i saw something in the panw.yml, there was this comment sentence above the var.input:

# Set which input to use between syslog (default) or file.

I thought that since I was using udp to send my logs, I need to set udp for the input but I guess no
So i set the input to syslog
My panw.yml:


- module: panw
  panos:
    enabled: true
    # Set which input to use between syslog (default) or file.
    var.input: syslog
    #var.paths: ["/var/log/pan-os.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.syslog_host: 0.0.0.0
    var.syslog_host: 9001

So i guess the original error is solved.
But now, i got an another error:

Apr 24 06:43:32 srv-elk filebeat[1407097]: {"log.level":"error","@timestamp":"2023-04-24T06:43:32.198Z","log.logger":"syslog","log.origin":"file.name":"syslog/input.go","file.line":151},"message":"Error starting the servererrorlisten udp 0.0.35.41:9001: bind: cannot assign requested address","service.name":"filebeat","ecs.version":"1.6.0"}

I just realized that I put 2 times var.syslog_host, instead of port...
Now listening goes without any errors.

So the original error was because of the input type.

My final panw.yml:

type or paste code here- module: panw
  panos:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: syslog
    #var.paths: ["/var/log/pan-os.log"]
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001

    # Set internal security zones. used to determine network.direction
    # default "trust"
    #var.internal_zones:

    # Set external security zones. used to determine network.direction
    # default "untrust"
    #var.external_zones:

All this could have been avoided if I had opened my eyes properly. :face_with_peeking_eye:

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.