Error creating runner from config: failed to create input: Can only start an input when all related states are finished:

Hi all

I get the logs from suricata(eve.json) so I've enabled suricata module in filebeat.
But whenever I start filebeat, I got this error.

2021-08-13T18:11:18.650+0900 ERROR [reload] cfgfile/list.go:99 Error creating runner from config: failed to create input: Can only start an input when all related states are finished: {Id: native::12216862-129, Finished: false, Fileinfo: &{eve.json 4732 420 {802951655 63764442666 0x562c8bea5e40} {129 12216862 1 33188 0 0 0 0 4732 4096 16 {1628845832 278954369} {1628845866 802951655} {1628845866 802951655} [0 0 0]}}, Source: /var/log/suricata/eve.json, Offset: 9464, Timestamp: 2021-08-13 18:11:16.677225147 +0900 KST m=+89.312697257, TTL: -1ns, Type: log, Meta: map[], FileStateOS: 12216862-129}

I think because of this error, the filebeat module is not working well so logs were not parsed.
this is my filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
   - /var/log/suricata/eve.json
filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: true #false

setup.dashboards.enabled: true
setup.kibana.host: "http://kibana:5601"


output.elasticsearch:
  hosts: [ "http://elasticsearch:9200" ]
  username: elastic
  password: password
setup.ilm.enabled: false
setup.ilm.check_exists: false

this is dockerfile for filebeat

FROM docker.elastic.co/beats/filebeat:7.13.4
#COPY ${pwd}/config/filebeat.yml /usr/share/filebeat/filebeat.yml
USER root
RUN chown root:filebeat /usr/share/filebeat/filebeat.yml
RUN filebeat modules enable suricata
USER filebeat

this is part of filebeat in docker-compose.yml.

  filebeat:
    build:
      context: filebeat/
    user: root
    volumes:
      - /var/lib/docker:/var/lib/docker:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - {pwd}/test_elk/filebeat/config/filebeat.yml:/usr/share/filebeat/filebeat.yml
      - {pwd}/test_elk/suricata/test_suricata_5.0/log:/var/log/suricata
    entrypoint: "filebeat -e -strict.perms=false"
    privileged: true
    networks:
      - elk

I don't know how can I solve this problem.
what is the problem and how can I solve this problem?

Thanks.

Can u post the config for the suricata module too? It looks like ur using a normal log input to read the suricata logs, not the module. Are u using both? If so that may be causing issues if filebeat is trying to read it with both.

Yes, your right.
I put the same log input path both filebeat and module configuration.
I solve the problem when I remove one log input.

Thank you very much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.