Filebeat failing to start due to YAML error, but which config file is it complaining about?

artschooldropout · August 17, 2023, 6:21pm

I'm attempting to use Filebeat to ingest logs from Zeek, but I'm getting the following error when I start Filebeat:

gist.github.com

https://gist.github.com/packetuser/69473877186cd7e0b0ac78b430a15063

gistfile1.txt

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample

This file has been truncated. show original

Here's my /etc/filebeat/filebeat.yml file:

gist.github.com

https://gist.github.com/packetuser/69473877186cd7e0b0ac78b430a15063

gistfile1.txt

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample

This file has been truncated. show original

Yamllint tells me that there's an issue with this: "Map keys must be unique at line 234, column 1" (that line is 'output.elasticsearch:'). I don't understand!

And here's my /etc/filebeat/modules.d/zeek.yml file:

gist.github.com

https://gist.github.com/packetuser/d5832ab282013291d495ccfce1154046

gistfile1.txt

# Module: zeek
# Docs: https://www.elastic.co/guide/en/beats/filebeat/main/filebeat-module-zeek.html

- module: zeek
    capture_loss:
        enabled: true
        var.paths: ["/mnt/Bro/current/capture_loss.log"]
    connection:
        enabled: true
        var.paths: ["/mnt/Bro/current/conn.log"]

This file has been truncated. show original

Yamllint tells me this one is formatted correctly.

The error message doesn't tell me which file is problematic.

Any assistance would be greatly appreciated!

Also, what am I doing wrong with my Gist links? Other people have sleek little windows with just the text content. I've got these chunky things with lots of Github stuff in the frame.

leandrojmp · August 17, 2023, 7:14pm

What is the error message? You didn't share it.

Looking at your filebeat.yml file it has a duplicated key, you have output.elasticsearch and hosts twice in the configuration, you can have it only once.

Check lines 139-141 and lines 234-240.

artschooldropout · August 17, 2023, 7:28pm

Whoops, my mistake. The error is here:

gist.github.com

https://gist.github.com/packetuser/677d6d6e95b4b61fe3178346f98e4f1a

gistfile1.txt

Exiting: Failed to start crawler: creating module reloader failed: loading configs: 1 error: invalid config: yaml: line 5: mapping values are not allowed in this context

artschooldropout · August 17, 2023, 7:48pm

Ok, I commented out the duplicate key, and restarted the elasticsearch and filebeat services. I get the same error from filebeat.

leandrojmp · August 17, 2023, 7:51pm

This is the entire log you have? Do you have other lines? This is not helpful indeed.

Please share the entire log you are receiving from filebeat.

artschooldropout · August 17, 2023, 8:08pm

Yes, here's the whole error:

gist.github.com

https://gist.github.com/packetuser/311b5c608a962a988813a59d13f342f6

gistfile1.txt

{"log.level":"info","@timestamp":"2023-08-17T19:47:41.688Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.688Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: 998ebe76-3f5e-48e2-9944-e1ba6df5656f","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/etc/filebeat","data":"/var/lib/filebeat","home":"/usr/share/filebeat","logs":"/var/log/filebeat"},"type":"filebeat","uuid":"998ebe76-3f5e-48e2-9944-e1ba6df5656f"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"dd50d49baeb99e0d21a31adb621908a7f0091046","libbeat":"8.9.0","time":"2023-07-19T01:28:34.000Z","version":"8.9.0"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.697Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":40,"version":"go1.19.10"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.700Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-08-16T21:02:12Z","containerized":false,"name":"zeek1","ip":["127.0.0.1","::1","10.7.81.47","fe80::1a66:daff:feac:8008","fe80::1a66:daff:feac:8009","fe80::a236:9fff:fef0:f140","fe80::a236:9fff:fef0:f142","fe80::a236:9fff:fef0:eb26"],"kernel_version":"5.15.0-78-generic","mac":["18:66:da:ac:80:07","18:66:da:ac:80:08","18:66:da:ac:80:09","18:66:da:ac:80:0a","a0:36:9f:f0:f1:40","a0:36:9f:f0:f1:42","a0:36:9f:f0:eb:24","a0:36:9f:f0:eb:26"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.2 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":2,"codename":"jammy"},"timezone":"UTC","timezone_offset_sec":0,"id":"5eb37bd26b0e4ba792a1575c41c3a2db"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.701Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"filebeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"ambient":null},"cwd":"/home/ocadu","exe":"/usr/share/filebeat/bin/filebeat","name":"filebeat","pid":76819,"ppid":76818,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-08-17T19:47:40.740Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-17T19:47:41.701Z","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: filebeat; Version: 8.9.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-08-17T19:47:41.709Z","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}

This file has been truncated. show original

leandrojmp · August 17, 2023, 8:22pm

The error is in the zeek.yml file.

{"log.level":"error","@timestamp":"2023-08-17T19:47:42.203Z","log.origin":{"file.name":"cfgfile/reload.go","file.line":270},"message":"Error loading config from file '/etc/filebeat/modules.d/zeek.yml', error invalid config: yaml: line 5: mapping values are not allowed in this context","service.name":"filebeat","ecs.version":"1.6.0"}

Looking at the file you shared:

- module: zeek
    capture_loss:
        enabled: true
        var.paths: ["/mnt/Bro/current/capture_loss.log"]
    connection:
        enabled: true
        var.paths: ["/mnt/Bro/current/conn.log"]

The indentation is different from the one that is expected.

capture_loss, connection etc should be on the same column of - module.


- module: zeek
  capture_loss:
    enabled: true
    var.paths: ["/mnt/Bro/current/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/mnt/Bro/current/conn.log"]

Not sure if this is the issue, but since yml files are pretty sensible to indentation, it may be.

artschooldropout · August 17, 2023, 8:48pm

Yes! This was the issue! Thank you so much for your help.

I had copied and pasted the config file to notepad++, which messed with the indentation.

Thanks again.

system · September 14, 2023, 8:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch Beats filebeat	3	430	March 31, 2024
Error on filebeat Beats filebeat	11	1486	September 2, 2022
Filebeat failed to start: Exiting: error loading config file: yaml: line 31: did not find expected key Beats filebeat	1	3936	February 7, 2020
FileBeat Not starting due to config in yml file Beats filebeat	15	17278	September 22, 2017
Exiting: 1 error: error loading config file: invalid config: yaml: line 13: did not find expected key Beats beats-module , filebeat	5	6706	February 10, 2022

Filebeat failing to start due to YAML error, but which config file is it complaining about?

Related Topics