Filebeat not starting

Elastic Stack Beats
1

Hi,

Having some issues with filebeat on Ubuntu 16.04.
I followed this tutorial https://www.howtoforge.com/tutorial/how-to-install-elastic-stack-on-ubuntu-16-04/
I cannot figure out why filbeat is not starting. Any help would be appretiated.

indent preformatted text by 4 spaces
Preformatted text● filebeat.service - filebeat
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Mon 2017-07-10 06:14:32 PDT; 31s ago
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Process: 2136 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat (code=exited, status=1/FAILURE)
Main PID: 2136 (code=exited, status=1/FAILURE)

Jul 10 06:14:32 ubuntu systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
Jul 10 06:14:32 ubuntu systemd[1]: filebeat.service: Unit entered failed state.
Jul 10 06:14:32 ubuntu systemd[1]: filebeat.service: Failed with result 'exit-code'.
Jul 10 06:14:32 ubuntu systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Jul 10 06:14:32 ubuntu systemd[1]: Stopped filebeat.
Jul 10 06:14:32 ubuntu systemd[1]: filebeat.service: Start request repeated too quickly.
Jul 10 06:14:32 ubuntu systemd[1]: Failed to start filebeat.Preformatted text
indent preformatted text by 4 spaces

filebeat.prospectors:
  - 
    input_type: log
    paths:
      - /var/log/*.log
      - /var/log/auth.log
      - /var/log/syslog
  - 
    document-type: syslog

    indent preformatted text by 4 spaces

output.logstash:
  # The Logstash hosts
  hosts: ["elk-master:5443"]
  bulk_max_size: 2048
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/logstash.crt"]
  template.name: "filebeat"
  template.path: "filebeat.template.json"
  template.overwrite: false

    indent preformatted text by 4 spaces
2

Please proplery format logs and config files using the </> button in the editor toolbar (your pasted config was quite unreadable).

  1. What's the indent preformatted text by 4 spaces supposed to do?
  2. the document-type should bedocument_type` and be part of first prospector, not a separate entry.
3

Hi, Even I am getting the same Error for Merricbeat 5.4 abd Filebeat 5.4 on Ubuntu.

4

Apologies for formatting. So with the changes you stated

filebeat.prospectors:
  - 
    input_type: log
    document_type: syslog
    paths:
      - /var/log/*.log
      - /var/log/auth.log
      - /var/log/syslog
  - 
   

output.logstash:
  # The Logstash hosts
  hosts: ["elk-master:5443"]
  bulk_max_size: 2048
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/logstash.crt"]
  template.name: "filebeat"
  template.path: "filebeat.template.json"
  template.overwrite: false

`
I still get the same error and failure to start. Running the configtest says the formatting is OK.

5
  • You still have an empty list entry in your config file.
  • The 'template' settings are only supported by the Elasticsearch output. Logstash itself provides some support configuring the mapping upon load

can you try this config:

filebeat.prospectors:
- input_type: log
  document_type: syslog
  paths:
    - /var/log/*.log
    - /var/log/auth.log
    - /var/log/syslog

output.logstash:
  # The Logstash hosts
  hosts: ["elk-master:5443"]
  bulk_max_size: 2048
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/logstash.crt"]
6

Awesome. Works. Thanks so much for the help.