Filebeat code=exited, status=1/FAILURE

Newbie here, so think basic. :slightly_smiling_face:

Filebeat service won't start (on Debian), fails with code=exited, status=1/FAILURE.

If I run filebeat -v -e -d "*", I get:
Exiting: error loading config file: yaml: line 107: did not find expected ':'
If I look at etc/filebeat/filebeat.yml, line 107 is:

  • module: cisco

Is there supposed to be a different ':' somewhere? I'm just stumped. Thanks for any help or direction you can give me...

Can you post your config please?
Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

Preformatted text###################### Filebeat Configuration Example #########################

Preformatted text# This file is an example configuration file highlighting only the most common
Preformatted text# options. The filebeat.reference.yml file from the same directory contains all the
`# supported options with more comments. You can use it as a reference.

# You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample # configuration file.

`# ============================== Filebeat inputs ===============================

`filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations.
`# Below are the input specific configurations.

`- type: log

# Change to true to enable this input configuration. enabled: false

`# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs*

# Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list.
`#exclude_lines: ['^DBG']

# Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list.
`#include_lines: ['^ERR', '^WARN']

# Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped.
`#exclude_files: ['.gz$']

# Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering
#fields: # level: debug
`# review: 1

` ### Multiline options

# Multiline can be used for log messages spanning multiple lines. This is common # for Java Stack Traces or C-Line Continuation

# The regexp Pattern that has to be matched. The example pattern matches all lines startingwith [
` #multiline.pattern: ^[

# Defines if the pattern set under pattern should be negated or not. Default is false. #multiline.negate: false

# Match can be set to "after" or "before". It is used to define if lines should be append to apattern
# that was (not) matched before or after or as long as a pattern is not matched based onnegate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after
# filestream is an experimental input. It is going to replace log input in the future.
- type: filestream
# Change to true to enable this input configuration. enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths: - /var/log/.log
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.exclude_files: ['.gz$']
# Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering
#fields: # level: debug
# review: 1
# ============================== Filebeat modules ==============================
filebeat.config.modules: # Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
-------------------------------- Cisco Module -------------------------------- - module: cisco
asa: enabled: false
# Set which input to use between syslog (default) or file.
#var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces.
#var.syslog_host: 0.0.0.0
# The UDP port to listen for syslog traffic. Defaults to 9001. #var.syslog_port: 8512
# Set the log level from 1 (alerts only) to 7 (include all messages).
# Messages with a log level higher than the specified will be dropped. # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html #var.log_level: 7
ftd:
enabled: false
# Set which input to use between syslog (default) or file. #var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to
# localhost. Set to 0.0.0.0 to bind to all available interfaces. #var.syslog_host: localhost
# The UDP port to listen for syslog traffic. Defaults to 9003.
#var.syslog_port: 9003
# Set the log level from 1 (alerts only) to 7 (include all messages). # Messages with a log level higher than the specified will be dropped.
# See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
#var.log_level: 7
ios: enabled: true
# Set which input to use between syslog (default) or file.
var.input: syslog
# The interface to listen to UDP based syslog traffic. Defaults to # localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_host: 0.0.0.0
# The UDP port to listen for syslog traffic. Defaults to 9002. var.syslog_port: 8512
# Set custom paths for the log files when using file input. If left empty,
# Filebeat will choose the paths depending on your OS. #var.paths:
nexus:
enabled: false
# Set which input to use between udp (default), tcp or file. # var.input: udp
# var.syslog_host: localhost # var.syslog_port: 9506
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true). # var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone. # "+02:00" for GMT+02:00
# var.tz_offset: local
meraki: enabled: false
# Set which input to use between udp (default), tcp or file.
# var.input: udp # var.syslog_host: localhost
# var.syslog_port: 9525
# Set paths for the log files when file input is used. # var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset. # "local" (default) for system timezone.
# "+02:00" for GMT+02:00 # var.tz_offset: local
umbrella:
enabled: false
#var.input: s3 # AWS SQS queue url
#var.queue_url: https://sqs.us-east-1.amazonaws.com/ID/CiscoQueue # Access ID to authenticate with the S3 input
#var.access_key_id: 123456 # Access key to authenticate with the S3 input
#var.secret_access_key: PASSWORD # The duration that the received messages are hidden from ReceiveMessage request
#var.visibility_timeout: 300s # Maximum duration before AWS API request will be interrupted
#var.api_timeout: 120s
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1 #index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface. #name:
# The tags of the shipper are included in their own field with each
# transaction published. #tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output. #fields:
# env: staging
# ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the # options here or by using the setup command.
#setup.dashboards.enabled: false
# The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co # website.
#setup.dashboards.url:
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "192.168.1.222:5601"
# Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used. #space.id:
# =============================== Elastic Cloud ================================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the output.elasticsearch.hosts and
# setup.kibana.hostoptions.# You can find the cloud.id in the Elastic Cloud web UI.
#cloud.id:
# The cloud.auth setting overwrites the output.elasticsearch.usernameand# output.elasticsearch.password settings. The format is <user>:<pass>.
#cloud.auth:
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch:
# Array of hosts to connect to. hosts: ["192.168.1.222:9200"]
# Protocol - either http (default) or https.
#protocol: "https"
# Authentication credentials - either API key or username/password. #api_key: "id:api_key"
#username: "elastic" #password: "changeme"
# ------------------------------ Logstash Output -------------------------------
#output.logstash: # The Logstash hosts
hosts: ["192.168.1.222:5044"]
# Optional SSL. By default is off. # List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors ================================= processors:
- add_host_metadata: when.not.contains.tags: forwarded
- add_cloud_metadata: ~ - add_docker_metadata: ~
- add_kubernetes_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["
"]. Examples of other selectors are "beat",
# "publish", "service". #logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter. #monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. #monitoring.cluster_uuid:
`

Do you mind editing that and fixing the formatting please? Just highlight all the code and then use the </> button in the formatting menu :slight_smile:

OK, that was a pain. :slight_smile:
Current scenario - everything (Elastic, Kibana, Logstash, etc) loaded on a laptop at my home office with a Cisco IOS pushing logs to port 8512. This is purely a test environment for me to learn Elastic.
My goal - all networking equipment at all our locations dumping their syslogs into Elastic, which will give us visibility into individual devices & allow us to see errors more easily (and not be overwhelmed with PRTG notifications).

Crud, I thought that's what I did. If I highlight & hit the </> button, it still says there is code in the reply. Not sure what I'm doing wrong (or not doing).

Besides the fact that it says I have too many characters, so I had to drop the bottom few bits of my filebeat.yml.

Here, how 'bout this:

No worries, thanks for the other link.

I'm not super yaml conversant, hopefully someone else can chime in because I am not sure why that's erroring.

Me too, because I'm not even remotely yaml conversant. :slight_smile: Like I said, just learning... But thanks for giving it a look.

is it correct that "#" is missing in the beginning at line 106 ?
-------------------------------- Cisco Module --------------------------------

I was getting an error on Line 106 (when I ran filebeat -v -e -d "*"), that went away when I removed the #. Should I not have? And what is wrong with line 106 if there is a # at the beginning? I'm so confused...

If I check the status of the filebeat service, it tell me this:

/usr/share/filebeat/bin$ systemctl status filebeat.service 
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2020-12-17 09:09:38 PST; 5s ago
     Docs: https://www.elastic.co/products/beats/filebeat
  Process: 13261 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_C
 Main PID: 13261 (code=exited, status=1/FAILURE)

Then if I run filebeat -v -e -d "*", I get
Exiting: error loading config file: yaml: line 106: did not find expected key

Both of these are after I've added the # to the beginning of the Cisco Modules line.

----- Cisco Module ----

can't be right.

remove the line (106) or add "#" in front of the line
#----- Cisco Module ----

Yes, I did, then I get my last comment (the line 106 error).

I just had a thought - should the #--------------- Cisco Module ----------- section be in the filebeat.yml or in the cisco.yml in the modules.d folder? Because right now it's in the filebeat.yml, right where I put it, but I just noticed the cisco.yml & thought maybe it needs to go there instead. Like I said at the beginning, newbie...

Oh, yeah don't move it out of the cisco.yml. All you should need to do is filebeat module enable cisco and then edit that file, not copy it into the main one.

OK, I removed the Cisco lines from filebeat.yml, verified cisco.yml is setup how it should be (I think) and restarted the service, but it is still failing. Below is the status of the service:

systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-12-22 07:47:44 PST; 37s ago
     Docs: https://www.elastic.co/products/beats/filebeat
  Process: 2503 ExecStart=/usr/share/filebeat/bin/filebeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS (code=exite
 Main PID: 2503 (code=exited, status=1/FAILURE)

And filebeat -v -e -d "*"
Exiting: could not initialize the keystore: open /var/lib/filebeat/filebeat.keystore: permission denied.

Hmmm, maybe now we're getting somewhere. When I go look at /var/lib/filebeat, there is no filebeat.keystore file in this folder. Any thoughts on that? Hidden? Somewhere else? If so, how do I figure out where that file is?

Hmmm, I searched my entire drive & there is no filebeat.keystore on it. Tried to show the keystore

(filebeat keystore list)

& it shows

error initializing beat: could not initialize the keystore: open /var/lib/filebeat/filebeat.keystore: permission denied

And still no filebeat.keystore at this location. Now I'm stuck. Can I re-run the filebeat installer & overwrite possibly bad info? I'm really getting frustrated with this.