I'm trying to setup my first filebeat forwarder after having used logstash-forwarder for quite a while.
When I try to start up filebeat I'm getting this error:
`[root@web1:/etc/filebeat] #systemctl status filebeat.service
● filebeat.service - LSB: Sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/etc/rc.d/init.d/filebeat)
Active: failed (Result: exit-code) since Sun 2016-01-31 20:58:29 EST; 6s ago
Process: 5579 ExecStart=/etc/rc.d/init.d/filebeat start (code=exited, status=1/FAILURE)
Jan 31 20:58:29 web1 systemd: Starting LSB: Sends log files to Logstash or directly to Elasticsearch....
Jan 31 20:58:29 web1 filebeat: Starting filebeat: Loading config file error: YAML config parsing failed on /etc/filebeat/filebeat.yml: yaml: line 228: did not find expected key. Exiting.
Jan 31 20:58:29 web1 systemd: filebeat.service: control process exited, code=exited status=1
Jan 31 20:58:29 web1 systemd: Failed to start LSB: Sends log files to Logstash or directly to Elasticsearch..
Jan 31 20:58:29 web1 systemd: Unit filebeat.service entered failed state.
Jan 31 20:58:29 web1 systemd: filebeat.service failed.`
This only happens if I try to enable the TLS settings in the config.Otherwise it starts fine, but I don't want to ship logs minus TLS.
Here's the line that the error is complaining about:
logstash: # The Logstash hosts hosts: ["logs.example.com:2541"]
But I think that the problem is up in the TLS section, because if I comment it out I can start it up:
# tls configuration. By default is off. tls: # List of root certificates for HTTPS server verifications certificate_authorities: ["/etc/pki/CA/certs/ca.crt"]
This is my entire config minus the comments:
filebeat: prospectors: - paths: - /var/log/*.log - /var/log/*/*.log input_type: log registry_file: /var/lib/filebeat/registry output: tls: certificate_authorities: ["/etc/pki/CA/certs/ca.crt"] logstash: hosts: ["logs.example.com:2541"] worker: 1 shipper: logging: files:
Could this be a parsing issue of some kind? How can I get this to work?