Error after upgrading filebeat to 7.10

borna_talebi · November 14, 2020, 11:49am

Hi, after I upgraded my stack to 7.10(from 7.9.3), I tried to upgrade my filebeat. But I'm getting this error:

Nov 14 14:41:54 XXXXXXX filebeat[13184]: 2020-11-14T14:41:54.462+0330        INFO        instance/beat.go:461        filebeat stopped.
Nov 14 14:41:54 XXXXXXX filebeat[13184]: 2020-11-14T14:41:54.462+0330        ERROR        instance/beat.go:956        Exiting: Failed to start crawler: creating module reloader failed: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"
Nov 14 14:41:54 XXXXXXX filebeat[13184]: Exiting: Failed to start crawler: creating module reloader failed: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"
Nov 14 14:41:54 XXXXXXX systemd[1]: Unit filebeat.service entered failed state.
Nov 14 14:41:54 XXXXXXX systemd[1]: filebeat.service failed.
Nov 14 14:41:54 XXXXXXX systemd[1]: filebeat.service holdoff time over, scheduling restart.
Nov 14 14:41:54 XXXXXXX systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
-- Subject: Unit filebeat.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit filebeat.service has finished shutting down.
Nov 14 14:41:54 XXXXXXX systemd[1]: start request repeated too quickly for filebeat.service
Nov 14 14:41:54 XXXXXXX systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
-- Subject: Unit filebeat.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit filebeat.service has failed.
-- 
-- The result is failed.

I've upgraded filebeat using RPM :
sudo rpm --Uvh FILEBEAT_FILE.rpm
and after I use systemctl start filebeat I get the above errors.
Here is my filebeat.yml
If I disable cisco module, everything works fine.

Wolfram_Haussig · November 16, 2020, 7:53am

Hi,

Can you share your cisco yml too please?

Best regards
Wolfram

borna_talebi · November 16, 2020, 8:04am

Hi,

Is this the file you wanted?

File: /etc/filebeat/modules.d/cisco.yml:

- module: cisco
  asa:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
    var.log_level: 7

  ios:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9002

  ftd:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9003
    var.log_level: 7

FYI, I'm not sending any data from cisco devices to filebeat. I just forgot to disable it before.

Wolfram_Haussig · November 16, 2020, 8:21am

I think the Cisco yml is out of date because both the rpm and the gzip versions of FileBeat 7.10 do not provide a cisco.yml anymore.

borna_talebi · November 16, 2020, 8:53am

Now that I think about it, there is no umbrella module in cisco.yml. make sense.

So if I install it with yum then everything shoud be fine. right?

Wolfram_Haussig · November 16, 2020, 9:21am

I don't think so but I only checked if rpm and gzip contains the cisco.yml.

Aaron_Norton · December 3, 2020, 9:23pm

I am having the same issue but I installed filebeat-7.10 from scratch - not upgrade. It did include modules.d/cisco.yml.disabled. After enabling the cisco module I get the same error.

BenB196 · December 3, 2020, 9:41pm

Try adding the following to cisco.yml

  nexus:
    enabled: false
  meraki:
    enabled: false
  umbrella:
    enabled: false

Its only a work around, not sure the cause of the error

Aaron_Norton · December 4, 2020, 2:18pm

My cisco.yml is below. It still doesn't work. Here is the error:

2020-12-04T08:16:55.576-0600 INFO beater/filebeat.go:117 Enabled modules/filesets: system (auth, syslog), auditd (log), elasticsearch (server, slowlog, audit, deprecation, gc), kibana (log), cisco (ftd, ios, meraki, nexus, umbrella, asa)
2020-12-04T08:16:55.578-0600 ERROR instance/beat.go:956 Exiting: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"
Exiting: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:1:9: executing "text" at <.input>: map has no entry for key "input"

module: cisco
asa:
enabled: false
ftd:
enabled: true
ios:
enabled: false
nexus:
enabled: false
meraki:
enabled: false
umbrella:
enabled: false

BenB196 · December 4, 2020, 2:35pm

@Aaron_Norton it looks like your yaml might be malformed.

Try using the below text:

- module: cisco
  asa:
    enabled: false
  ios:
    enabled: false
  ftd:
    enabled: true
  nexus:
    enabled: false
  meraki:
    enabled: false
  umbrella:
    enabled: false

Aaron_Norton · December 4, 2020, 2:57pm

Sorry that was a formatting error in the forum on my part. The cisco.yml isn't malformed but I did go ahead and paste your text exactly as it appears and it didn't help.

I have found if I add a couple of lines to /usr/share/filebeat/module/cisco/umbrella/manifest.yml I can get past that error and on to a new one. I added these 2 lines under var:
- name: input
- name: paths

I am a little confused on why it seems to be ignoring the fact that I have umbrella disabled.

Aaron_Norton · December 4, 2020, 4:43pm

commenting the below section out in the ingest/pipeline.yml gets me passed the errors and filebeat starts properly finally

    #- split:
    #    field: cisco.umbrella.identities
    #    separator: ","
    #    preserve_trailing: false
    #    if: "ctx?.log?.file?.path.contains('dnslogs') && ctx?.cisco?.umbrella?.identities != null"

system · January 1, 2021, 6:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.