Hi Everyone im glad to be part of this comunity. Im here beacause a got a error message when I try to start the filebeat service after do some modifications related to a enable de MISP threat intel Logs.
Here is the filebeat.yml
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.X0.1XX.12:9200"]
Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "VwIL2s3kJre9HNBE9A5u"
#setup.kibana:
# host: "<172.X0.1XX.12>"
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["172.X0.1XX.12:5044"]
username: "logstash_system"
password: "4NnCxvCwnoY8YRcQKNqc"
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
the issue stat when a modifiy this part of the file
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
hosts: ["172.X0.1XX.12:9200"]
Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "VwIL2s3kJre9HNBE9A5u"
#setup.kibana:
host: "<172.X0.1XX.12>"
Journalctl -xe -u filebeat:
░░ A stop job for unit filebeat.service has finished.
░░
░░ The job identifier is 8696 and the job result is done.
Apr 22 13:32:36 debian-suricata systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A start job for unit filebeat.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit filebeat.service has finished successfully.
░░
░░ The job identifier is 8696.
Apr 22 13:32:36 debian-suricata filebeat[12910]: Exiting: error loading config file: yaml: line 135: found character that cannot start any token
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit filebeat.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit filebeat.service has entered the 'failed' state with result 'exit-code'.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Scheduled restart job, restart counter is at 5.
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ Automatic restarting of the unit filebeat.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Apr 22 13:32:36 debian-suricata systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A stop job for unit filebeat.service has finished
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A stop job for unit filebeat.service has finished.
░░
░░ The job identifier is 8766 and the job result is done.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Start request repeated too quickly.
Apr 22 13:32:36 debian-suricata systemd[1]: filebeat.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit filebeat.service has entered the 'failed' state with result 'exit-code'.
Apr 22 13:32:36 debian-suricata systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..
░░ Subject: A start job for unit filebeat.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit filebeat.service has finished with a failure.
░░
░░ The job identifier is 8766 and the job result is failed.
Log filebeat
root@debian-suricata:/var/log/filebeat# cat filebeat
2022-04-22T13:09:07.174-0400 INFO instance/beat.go:685 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2022-04-22T13:09:07.175-0400 INFO instance/beat.go:693 Beat ID: 6735e9d4-e7d6-469e-8126-5152dce51547
2022-04-22T13:09:10.179-0400 WARN [add_cloud_metadata] add_cloud_metadata/provider_aws_ec2.go:79 read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2022-04-22T13:09:10.180-0400 INFO [beat] instance/beat.go:1039 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "6735e9d4-e7d6-469e-8126-5152dce51547"}}}
2022-04-22T13:09:10.180-0400 INFO [beat] instance/beat.go:1048 Build info {"system_info": {"build": {"commit": "f6042bc3407cc10201cfd8c7574d8b0a88a699db", "libbeat": "7.17.2", "time": "2022-03-28T09:47:58.000Z", "version": "7.17.2"}}}
2022-04-22T13:09:10.180-0400 INFO [beat] instance/beat.go:1051 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.6"}}}
2022-04-22T13:09:10.180-0400 INFO [beat] instance/beat.go:1055 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-04-20T10:51:12-04:00","containerized":false,"name":"debian-suricata","ip":["127.0.0.1/8","::1/128","172.X0.1XX.12/24","fe80::649e:51ff:feb0:46c3/64"],"kernel_version":"5.10.0-13-amd64","mac":["66:9e:51:b0:46:c3"],"os":{"type":"linux","family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"11 (bullseye)","major":11,"minor":0,"patch":0,"codename":"bullseye"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"8925b48d41884fb8937408a0a53495ee"}}}
2022-04-22T13:09:10.181-0400 INFO [beat] instance/beat.go:1084 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/home/itsupport", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 12664, "ppid": 12662, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2022-04-22T13:09:06.670-0400"}}}
2022-04-22T13:09:10.183-0400 INFO instance/beat.go:328 Setup Beat: filebeat; Version: 7.17.2
2022-04-22T13:09:10.183-0400 INFO [publisher] pipeline/module.go:113 Beat name: debian-suricata
2022-04-22T13:09:10.185-0400 WARN beater/filebeat.go:202 Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2022-04-22T13:09:10.185-0400 ERROR instance/beat.go:1014 Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Regards and thanks for any help