Failed to start Filebeat MISP treats

Tetsuho · April 22, 2022, 6:43pm

Hi Everyone im glad to be part of this comunity. Im here beacause a got a error message when I try to start the filebeat service after do some modifications related to a enable de MISP threat intel Logs.
Here is the filebeat.yml

# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
        hosts: ["172.X0.1XX.12:9200"]
   Protocol - either `http` (default) or `https`.
  #protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
        username: "elastic"
        password: "VwIL2s3kJre9HNBE9A5u"
#setup.kibana:
#       host: "<172.X0.1XX.12>"
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["172.X0.1XX.12:5044"]
  username: "logstash_system"
  password: "4NnCxvCwnoY8YRcQKNqc"
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

the issue stat when a modifiy this part of the file

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
        hosts: ["172.X0.1XX.12:9200"]

   Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
        username: "elastic"
        password: "VwIL2s3kJre9HNBE9A5u"
#setup.kibana:
        host: "<172.X0.1XX.12>"

Journalctl -xe -u filebeat:

░░ A stop job for unit filebeat.service has finished.
░░
░░ The job identifier is 8696 and the job result is done.
Apr 22 13:32:36 debian-suricata systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A start job for unit filebeat.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit filebeat.service has finished successfully.
░░
░░ The job identifier is 8696.
Apr 22 13:32:36 debian-suricata filebeat[12910]: Exiting: error loading config file: yaml: line 135: found character that cannot start any token
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit filebeat.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit filebeat.service has entered the 'failed' state with result 'exit-code'.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ Automatic restarting of the unit filebeat.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Apr 22 13:32:36 debian-suricata systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A stop job for unit filebeat.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A stop job for unit filebeat.service has finished.
░░
░░ The job identifier is 8766 and the job result is done.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Start request repeated too quickly.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit filebeat.service has entered the 'failed' state with result 'exit-code'.
Apr 22 13:32:36 debian-suricata systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A start job for unit filebeat.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit filebeat.service has finished with a failure.
░░
░░ The job identifier is 8766 and the job result is failed.

Log filebeat

root@debian-suricata:/var/log/filebeat# cat filebeat
2022-04-22T13:09:07.174-0400    INFO    instance/beat.go:685    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2022-04-22T13:09:07.175-0400    INFO    instance/beat.go:693    Beat ID: 6735e9d4-e7d6-469e-8126-5152dce51547
2022-04-22T13:09:10.179-0400    WARN    [add_cloud_metadata]    add_cloud_metadata/provider_aws_ec2.go:79       read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2022-04-22T13:09:10.180-0400    INFO    [beat]  instance/beat.go:1039   Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "6735e9d4-e7d6-469e-8126-5152dce51547"}}}
2022-04-22T13:09:10.180-0400    INFO    [beat]  instance/beat.go:1048   Build info      {"system_info": {"build": {"commit": "f6042bc3407cc10201cfd8c7574d8b0a88a699db", "libbeat": "7.17.2", "time": "2022-03-28T09:47:58.000Z", "version": "7.17.2"}}}
2022-04-22T13:09:10.180-0400    INFO    [beat]  instance/beat.go:1051   Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.6"}}}
2022-04-22T13:09:10.180-0400    INFO    [beat]  instance/beat.go:1055   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-04-20T10:51:12-04:00","containerized":false,"name":"debian-suricata","ip":["127.0.0.1/8","::1/128","172.X0.1XX.12/24","fe80::649e:51ff:feb0:46c3/64"],"kernel_version":"5.10.0-13-amd64","mac":["66:9e:51:b0:46:c3"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"11 (bullseye)","major":11,"minor":0,"patch":0,"codename":"bullseye"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"8925b48d41884fb8937408a0a53495ee"}}}
2022-04-22T13:09:10.181-0400    INFO    [beat]  instance/beat.go:1084   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/home/itsupport", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 12664, "ppid": 12662, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2022-04-22T13:09:06.670-0400"}}}
2022-04-22T13:09:10.183-0400    INFO    instance/beat.go:328    Setup Beat: filebeat; Version: 7.17.2
2022-04-22T13:09:10.183-0400    INFO    [publisher]     pipeline/module.go:113  Beat name: debian-suricata
2022-04-22T13:09:10.185-0400    WARN    beater/filebeat.go:202  Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2022-04-22T13:09:10.185-0400    ERROR   instance/beat.go:1014   Exiting: Index management requested but the Elasticsearch output is not configured/enabled

Regards and thanks for any help

Andrea_Spacca · April 25, 2022, 8:04am

Hi @Tetsuho, welcome to the Elastic community.

Could you please confirm that you have the following at line 135 of filebeat.yml?

Protocol - either `http` (default) or `https`.`

This line is intended to by a comment and should be prefixed by # (the line itself is not valid yaml)

# Protocol - either `http` (default) or `https`.`

If that's not the problem please review your yaml files and assure they contain valid yaml.

Please, be aware that you shared in clear text your password credentials: I'd urge you to rotate them

Tetsuho · April 27, 2022, 8:14pm

Hi Andrea thanks so very much for you answer, the passwords exposed killed my hopes to fix that installation. So I did a fresh install and it look to be working fine.
I got a issue now trying to use filebeat and misp threat intel.

I must to create a new topic for that ?

Regards

Andrea_Spacca · April 27, 2022, 11:35pm

Hello @Tetsuho ,

glad the new installation is working properly

What is the question you have about filebeat and misp threat intel?

Tetsuho · April 28, 2022, 4:16pm

Hi Andrea, I'm trying to enable that module following the instructions:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.20.188.13:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "intentionally deleted"
#modificacion solicitada para activar el modulo MISP
  setup.kibana:
  host: "<172.X0.1XX.1X:5601>"

root@debian-suricata:/home/itsupport# filebeat modules enable misp
Module misp is already enabled

root@debian-suricata:/home/itsupport# filebeat setup --modules=misp -e --dashboards
2022-04-28T12:02:37.441-0400    INFO    instance/beat.go:685    Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2022-04-28T12:02:37.442-0400    INFO    instance/beat.go:693    Beat ID: 534056f3-17c5-4e34-9ff2-ae79ac5829c6
2022-04-28T12:02:40.444-0400    WARN    [add_cloud_metadata]    add_cloud_metadata/provider_aws_ec2.go:79       read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2022-04-28T12:02:40.445-0400    INFO    [beat]  instance/beat.go:1039   Beat info       {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "534056f3-17c5-4e34-9ff2-ae79ac5829c6"}}}
2022-04-28T12:02:40.445-0400    INFO    [beat]  instance/beat.go:1048   Build info      {"system_info": {"build": {"commit": "1993ee88a11cb34f61a1fb45c7c3cf50533682cb", "libbeat": "7.17.3", "time": "2022-04-19T09:27:20.000Z", "version": "7.17.3"}}}
2022-04-28T12:02:40.445-0400    INFO    [beat]  instance/beat.go:1051   Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.8"}}}
2022-04-28T12:02:40.445-0400    INFO    [beat]  instance/beat.go:1055   Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-04-25T14:21:13-04:00","containerized":false,"name":"debian-suricata","ip":["127.0.0.1/8","::1/128","172.X0.1XX.12/24","fe80::a803:eeff:fe0f:ed98/64"],"kernel_version":"5.10.0-13-amd64","mac":["aa:03:ee:0f:ed:98"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"11 (bullseye)","major":11,"minor":0,"patch":0,"codename":"bullseye"},"timezone":"-04","timezone_offset_sec":-14400,"id":"191e8d75c15d418684a96b7681a70883"}}}
2022-04-28T12:02:40.446-0400    INFO    [beat]  instance/beat.go:1084   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/home/itsupport", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 5983, "ppid": 5944, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2022-04-28T12:02:36.270-0400"}}}
2022-04-28T12:02:40.446-0400    INFO    instance/beat.go:328    Setup Beat: filebeat; Version: 7.17.3
2022-04-28T12:02:40.446-0400    INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'filebeat-7.17.3' as ILM is enabled.
2022-04-28T12:02:40.446-0400    INFO    [esclientleg]   eslegclient/connection.go:105   elasticsearch url: http://172.X0.1XX.13:9200
2022-04-28T12:02:40.447-0400    INFO    [publisher]     pipeline/module.go:113  Beat name: debian-suricata
2022-04-28T12:02:40.448-0400    INFO    beater/filebeat.go:118  Enabled modules/filesets: misp (threat)
2022-04-28T12:02:40.449-0400    WARN    beater/filebeat.go:136  Fileset `threat` for module `misp` is loaded but was not explicitly defined in the config. Starting from v8.0 this fileset won't be loaded unless explicitly defined.
Loading dashboards (Kibana must be running and reachable)
2022-04-28T12:02:40.450-0400    INFO    kibana/client.go:180    Kibana url: http://172.X0.1XX.13:5601
2022-04-28T12:02:43.363-0400    INFO    kibana/client.go:180    Kibana url: http://172.X0.1XX.13:5601
2022-04-28T12:02:43.447-0400    INFO    [add_cloud_metadata]    add_cloud_metadata/add_cloud_metadata.go:101    add_cloud_metadata: hosting provider type not detected.

I see this line advising about a mismatch configuration but I don't understand what does it mean

beater/filebeat.go:136  Fileset `threat` for module `misp` is loaded but was not explicitly defined in the config. Starting from v8.0 this fileset won't be loaded unless explicitly defined.

Thanks for all your help Andrea

ibra_013 · May 1, 2022, 1:54pm

Hi,

the misp module is deprecated in 7.14.0 , use the threatintel module instead.

system · May 29, 2022, 3:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.