Invalid top-level key 'setup' found


(Igor Marques) #1

hi, i have try to install winlogbeat on Windows Server Datacenter and failed.

i download winlogbeat from here

extract the content into C:\Program Files and rename the winlogbeat- directory to Winlogbeat.

edit winlogbeat.yml as a follow

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: rv07prd

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["windows", "iis", "ad", "rv07prd"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "XXX.XX.XX.XX:63600"

#============================= Elastic Cloud ==================================

# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["XXX.XX.XX.XX:63301"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["C:/Program Files/Winlogbeat/reversal-chain.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "C:/Program Files/Winlogbeat/winlogbeat.crt"

  # Client Certificate Key
  ssl.key: "C:/Program Files/Winlogbeat/winlogbeat.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
logging.level: info

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"] 

when i run .\winlogbeat.exe -c winlogbeat.yml -e -v -d "*" i have this error:

Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config

i found this topic about similar error and revised my config. i cant find the "setup" key declared or what is causing it.

i try again as andrewkroh on the topic above suggest, but i have the same error.

winlogbeat.event_logs:
  #- name: Application
  #  ignore_older: 72h
  - name: ForwardedEvents
    ignore_older: 8760h

Exiting: Error reading configuration file. 1 error: Invalid top-level key 'setup' found. Valid keys are bulk_queue_size, dashboards, fields, fields_under_root, logging, max_procs, name, output, path, processors, queue_size, tags, winlogbeat accessing config.

i appreciate any help.
thanks in advance.


(Andrew Kroh) #2

What version did you download?


(Andrew Kroh) #3

Since 6.0.0-beta1 we removed this key validation check from Winlogbeat to prevent this sort of bug from occurring. You can try the 6.0.0-beta2 release and it shouldn't have this problem.


(Igor Marques) #4

winlogbeat version is 5.6.1 available on https://www.elastic.co/downloads/beats/winlogbeat
i’ll try 6.0 beta.


(Andrew Kroh) #5

But the config you are showing looks like it's from 6.0.0? The winlogbeat.yml in 5.6.1 doesn't have the setup.* options that I can see.


(Igor Marques) #6

yes. i change the winlogbeat.yml because with the yml downloaded with te 5.6.1 i have the same error about “setup” key. i’ll try the beta version and test now.


(Igor Marques) #7

when i use the beta version, winlogbeat has able to send info to logstash. thanks for the help.


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.