I get this error when i restart my filebeat in ELK

Jonesthomas · March 27, 2017, 9:27am

sudo service filebeat restart

Restarting Sends log files to Logstash or directly to Elasticsearch. filebeat Loading config file error: YAML config parsing failed on /etc/filebeat/filebeat.yml: yaml: line 223: found character that cannot start any token. Exiting.
[fail]

exekias · March 27, 2017, 10:00am

It looks like something is wrong in your filebeat.yml, can you share that line (223) and its full context?

Jonesthomas · March 27, 2017, 10:03am

  ### Logstash as output
  logstash:
    # The Logstash hosts
    hosts: ["localhost:5044"]
	 bulk_max_size: 1024
    # Number of workers per Logstash host.
    #worker: 1

    # Optional load balance the events between the Logstash hosts
    #loadbalance: true

    # Optional index name. The default index name depends on the each beat.
    # For Packetbeat, the default is set to packetbeat, for Topbeat
    # top topbeat and for Filebeat to filebeat.
    #index: filebeat

    # Optional TLS. By default is off.
    tls:
      # List of root certificates for HTTPS server verifications
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

      # Certificate for TLS client authentication
      #certificate: "/etc/pki/client/cert.pem"

      # Client Certificate Key
      #certificate_key: "/etc/pki/client/cert.key"

      # Controls whether the client verifies server certificates and host name.
      # If insecure is set to true, all server host names and certificates will be
      # accepted. In this mode TLS based connections are susceptible to
      # man-in-the-middle attacks. Use only for testing.
      #insecure: true

      # Configure cipher suites to be used for TLS connections
      #cipher_suites: []

      # Configure curve types for ECDHE based cipher suites
      #curve_types: []

steffens · March 28, 2017, 8:11am

Skimming the sample, I don't see anything wrong with the sample snippet. Did you mix tabs and spaces by accident?

have you tried to lint your config (e.g. with yamllint.com) ? Not having the full configuration file it's quite hard to jump to line 223 to fix the error... (please properly format your config)

Jonesthomas · March 28, 2017, 11:03am

this is the content in the 223 line

220: ### Logstash as output
221: logstash:
222: #the Logstash hosts
223: hosts: ["localhost:5044"]

steffens · March 28, 2017, 12:22pm

your line numbering is off by one

I reformatted your post. It's bulk_max_size setting being clearly off.

system · April 25, 2017, 12:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.