I get this error when i restart my filebeat in ELK

Elastic Stack Beats
1

sudo service filebeat restart

  • Restarting Sends log files to Logstash or directly to Elasticsearch. filebeat Loading config file error: YAML config parsing failed on /etc/filebeat/filebeat.yml: yaml: line 223: found character that cannot start any token. Exiting.
    [fail]
2

It looks like something is wrong in your filebeat.yml, can you share that line (223) and its full context?

3 
  ### Logstash as output
  logstash:
    # The Logstash hosts
    hosts: ["localhost:5044"]
	 bulk_max_size: 1024
    # Number of workers per Logstash host.
    #worker: 1

    # Optional load balance the events between the Logstash hosts
    #loadbalance: true

    # Optional index name. The default index name depends on the each beat.
    # For Packetbeat, the default is set to packetbeat, for Topbeat
    # top topbeat and for Filebeat to filebeat.
    #index: filebeat

    # Optional TLS. By default is off.
    tls:
      # List of root certificates for HTTPS server verifications
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

      # Certificate for TLS client authentication
      #certificate: "/etc/pki/client/cert.pem"

      # Client Certificate Key
      #certificate_key: "/etc/pki/client/cert.key"

      # Controls whether the client verifies server certificates and host name.
      # If insecure is set to true, all server host names and certificates will be
      # accepted. In this mode TLS based connections are susceptible to
      # man-in-the-middle attacks. Use only for testing.
      #insecure: true

      # Configure cipher suites to be used for TLS connections
      #cipher_suites: []

      # Configure curve types for ECDHE based cipher suites
      #curve_types: []
4

Skimming the sample, I don't see anything wrong with the sample snippet. Did you mix tabs and spaces by accident?

have you tried to lint your config (e.g. with yamllint.com) ? Not having the full configuration file it's quite hard to jump to line 223 to fix the error... (please properly format your config)

5

this is the content in the 223 line

220: ### Logstash as output
221: logstash:
222: #the Logstash hosts
223: hosts: ["localhost:5044"]

6

your line numbering is off by one :wink:

I reformatted your post. It's bulk_max_size setting being clearly off.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.