Filebeat - issue after enable elasticsearch module

dominbdg · February 17, 2022, 11:06pm

Hello,
I would like to filebeat process my Elasticsearch audit logs.
When I enable Elasticsearch module (filebeat modules enable Elasticsearch) module is enabled and under modules.d file Elasticsearch.yml.disabled changed to Elasticsearch.yml

my Elasticsearch.yml looks like below:

# Module: elasticsearch
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-elasticsearch.html

- module: elasticsearch
  # Server log
  server:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  gc:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: /opt/local-cluster_audit.json

  slowlog:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  deprecation:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

When module is enabled and I going to restart filebeat, after restart I'm receiving error:

ERROR   instance/beat.go:1015   Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: error getting config for fileset elasticsearch/audit: Error interpreting the template of the input: template: text:3:22: executing "text" at <.paths>: range can't iterate over /opt/pci-cluster_audit.json
> Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: error getting config for fileset elasticsearch/audit: Error interpreting the template of the input: template: text:3:22: executing "text" at <.paths>: range can't iterate over /opt/pci-cluster_audit.json

legoguy1000 · February 20, 2022, 2:10am

vat.paths should be a list.

dominbdg · February 20, 2022, 11:04am

I have enabled var.paths.
Below is my config for Elasticsearch module:

# Module: elasticsearch
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.16/filebeat-module-elasticsearch.html

- module: elasticsearch
  # Server log
  server:
    enabled: false

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  gc:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: /opt/aaa-cluster_audit.json

  slowlog:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  deprecation:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

legoguy1000 · February 20, 2022, 3:43pm

Yes but you've set var.paths as a string, u need to make it a list like below.

var.paths:
  - /xxxxx/xxxxx.....

dominbdg · February 20, 2022, 8:03pm

Hello,
Alex many thanks for Your help,
to be honest I'm working on that couple of days and didn't understand what's going on,
I thought that Elasticsearch module - it is regular config and it looks like this is yaml config.
You helped me a lot! Thanks for that

system · March 20, 2022, 10:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.