Invalid top-level key 'setup' found

hi, i have try to install winlogbeat on Windows Server Datacenter and failed.

i download winlogbeat from here

extract the content into C:\Program Files and rename the winlogbeat- directory to Winlogbeat.

edit winlogbeat.yml as a follow

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: rv07prd

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["windows", "iis", "ad", "rv07prd"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "XXX.XX.XX.XX:63600"

#============================= Elastic Cloud ==================================

# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["XXX.XX.XX.XX:63301"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["C:/Program Files/Winlogbeat/reversal-chain.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "C:/Program Files/Winlogbeat/winlogbeat.crt"

  # Client Certificate Key
  ssl.key: "C:/Program Files/Winlogbeat/winlogbeat.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
logging.level: info

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"] 

when i run .\winlogbeat.exe -c winlogbeat.yml -e -v -d "*" i have this error:

Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config

i found this topic about similar error and revised my config. i cant find the "setup" key declared or what is causing it.

i try again as andrewkroh on the topic above suggest, but i have the same error.

winlogbeat.event_logs:
  #- name: Application
  #  ignore_older: 72h
  - name: ForwardedEvents
    ignore_older: 8760h

Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config.

i appreciate any help.
thanks in advance.

What version did you download?

Since 6.0.0-beta1 we removed this key validation check from Winlogbeat to prevent this sort of bug from occurring. You can try the 6.0.0-beta2 release and it shouldn't have this problem.

winlogbeat version is 5.6.1 available on https://www.elastic.co/downloads/beats/winlogbeat
i’ll try 6.0 beta.

But the config you are showing looks like it's from 6.0.0? The winlogbeat.yml in 5.6.1 doesn't have the setup.* options that I can see.

yes. i change the winlogbeat.yml because with the yml downloaded with te 5.6.1 i have the same error about “setup” key. i’ll try the beta version and test now.

when i use the beta version, winlogbeat has able to send info to logstash. thanks for the help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.