Foilebeat IIS Module Config

Elastic Stack Kibana
1

I am working on version 8.10.2 of Elastic, Kibana and Filebeat. I am trying to get IIS.YML to work but I am running into a some errors.

I am running this command:
.\filebeat.exe -e -c D:\Filebeat\modules.d\iis.yml and I am getting this error:

Exiting: no outputs are defined, please define one under the output section.

Can someone help me figure out the issue?
Here is my IIS.YML

# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.10/filebeat-module-iis.html
- module: iis
  # Access logs
  access:
    enabled: "true"
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
  var.paths: ["D:/01-evidence/IIS/*.log"]
  # Error logs
  error:
    enabled: false
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    # var.paths:
# =============================== Kibana ===============================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
- setup.kibana.host: "http://localhost:5601"
  #hosts: ["https://localhost:9200", "https://1.1.1.1:9200"]
  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  # space.id:
# ============================ Elastic Cloud ============================
# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
# cloud.id:
# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
# cloud.auth:
# =============================== Outputs ===============================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
- output.elasticsearch:
  # Array of hosts to connect to.
    hosts:  ["https://localhost:9200", "https://1.1.1.1:9200"]
  # Protocol - either `http` (default) or `https`.
  # protocol: "https"
    username: "user"
    password: "pass"
    ssl.verification_mode: none
# ------------------------------ Logstash Output ------------------------------```
2

I wonder if it's as simple as indentation

- output.elasticsearch:
  # Array of hosts to connect to.
  hosts:  ["https://localhost:9200", "https://1.1.1.1:9200"]
3

Hi @dfir

I'm not sure what documentation or instructions are following but you're close but not configuring nor executing correctly.

Please follow the quick start guide and just use IIS instead of the nginx example

You need to clean up and follow those instructions and then edit the iis.yml as well as the filebeat.yml

Enabling the iis module
Also a key step is running setup as shown in the quick start guide

4

Thanks for the suggestion. I definitely have has some indenting issues. I will double check.

5

@stephenb Thanks for the link. Ill run through the link. I am following some documentation both internally here and from the filebeat website. Ill go through it.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.