Need help with errors during starting filebeat service, please help with verifying the yml file


(Cloud Guy) #1

When I am trying to start the filebeat service I get an error saying..

graylog@graylog:/etc/filebeat$ service filebeat status
● filebeat.service - filebeat
   Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
   Active: failed (Result: start-limit-hit) since Wed 2019-01-09 20:59:32 CST; 1s ago
     Docs: https://www.elastic.co/guide/en/beats/filebeat/current/index.html
  Process: 4650 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/fi
 Main PID: 4650 (code=exited, status=1/FAILURE)

Jan 09 20:59:31 graylog systemd[1]: filebeat.service: Unit entered failed state.
Jan 09 20:59:31 graylog systemd[1]: filebeat.service: Failed with result 'exit-code'.
Jan 09 20:59:32 graylog systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Jan 09 20:59:32 graylog systemd[1]: Stopped filebeat.
Jan 09 20:59:32 graylog systemd[1]: filebeat.service: Start request repeated too quickly.
Jan 09 20:59:32 graylog systemd[1]: Failed to start filebeat.
Jan 09 20:59:32 graylog systemd[1]: filebeat.service: Unit entered failed state.
Jan 09 20:59:32 graylog systemd[1]: filebeat.service: Failed with result 'start-limit-hit'.

Here is the yml file. Can you help see if this is an issue with spacing or unwanted characters, or even identation in this script.

filebeat.prospectors:
- input_type: log
document_type: postfix
paths:
- /var/log/mail.log
- input_type: log
document_type: zimbra_audit
paths:
- /opt/zimbra/log/audit.log
- input_type: log
document_type: zimbra_mailbox
paths:
- /opt/zimbra/log/mailbox.log
- input_type: log
document_type: nginx
paths:
- /opt/zimbra/log/nginx.access.log
output.logstash:
  hosts: ["192.168.1.27:5045"]
  template.name: "filebeat"
  template.path: "filebeat.template.json"
  template.overwrite: false
output.elasticsearch:
  hosts: ["localhost:9200"]
logging.metrics.period: 1m

I am sorry If i am breaking any rules here, I am new to this technology and to the forum.
Thanks in advance


(Cloud Guy) #2

Does it have to do with the depreciated document_type and input_type parameters?
If so, then what would be correct way to put all of this?


(Pier-Hugues Pellerin) #3

Hello, I see a few errors, input declaration should be defined similar to this:

filebeat.inputs:
    - type: log
      paths:
        - /var/log/mail.log
      fields:
        document_type: postfix

    - type: log
      paths:
        - /opt/zimbra/log/audit.log
      fields:
        document_type: zimbra_audit
    - type: log
      paths:
        - /opt/zimbra/log/mailbox.log
      fields:
        document_type: zimbra_mailbox

    - type: log
      paths:
        - /opt/zimbra/log/nginx.access.log
      fields:
        document_type: nginx

And filebeat only support one output defined at any time:

output.logstash:
  hosts: ["192.168.1.27:5045"]

Or

output.elasticsearch:
  hosts: ["localhost:9200"]

You can test your configuration by running filebeat in shell and increase the log level, the following command should give more information:

filebeat -v -e -d "*"

(Cloud Guy) #4

Thanks for setting this up for me. I am gonna try this, and report back.