when i start filebeat and see status of service i have as output ; more than one namespace configured accessing 'output' /etc/filebeat/filebeat.yml how can i resolve this problem ,(i am trying to send bro logs to elastic search)
This could be caused by some settings misplaced in the configuration file, can you share your config? What version of filebeat are you using?
the version :logstash-input-beats (3.1.30)
the configuration
#=========================== Filebeat prospectors =============================
filebeat.prospectors:
- type: log
enabled: true
paths:- /nsm/bro/logs/current/conn.log
fields:
type:"bro-conn"
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
output.elasticsearch:
hosts: ["localhost:9200"]
output.logstash:
hosts: ["localhost:5044"]
- /nsm/bro/logs/current/conn.log
I see you have two outputs configured, but Beats supports only one.
If you need to store the events in multiple places, you can send them from Beats to Logstash and configure the multiple outputs there.
1 Like
thanks jsoriano the probleme is fixed,i had coment output.elsaticsearch and hosts ,but another problem appeared when i attempt to start and see the status i have as output :error in initting prospector:required 'object' ,but fund 'string' in field 'filebear.prospecrots.0.fields '(source:/etc/filebeat/filebeat.yml
Can you paste the new config? When pasting it here you can enclose it between three backticks (```) to keep its format.
the probleme was fixed by using this configuration :https://github.com/dunbarcyber/cyphondock/blob/master/config-COPYME/beats/filebeat/filebeat.yml
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.