New filebeat implementation for Fortinet module not starting

doublejz · May 17, 2022, 9:09pm

I'm not sure what I'm missing here. I apologize for being a noob but I've just started getting into setting up my ELK stack and can't figure this out.

I thought I had it all configured but yet filebeat won't start and I found the following log messages.

filebeat[141777]: {"log.level":"info","@timestamp":"2022-05-17T11:14:19.761-0400","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":160},"message":"Stopping metrics logging.","service.name":"filebeat","ecs.version":"1.6.0"}
filebeat[141777]: {"log.level":"info","@timestamp":"2022-05-17T11:14:19.761-0400","log.origin":{"file.name":"instance/beat.go","file.line":510},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
filebeat[141777]: {"log.level":"error","@timestamp":"2022-05-17T11:14:19.761-0400","log.origin":{"file.name":"instance/beat.go","file.line":1038},"message":"Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module logstash is configured but has no enabled filesets","service.name":"filebeat","ecs.version":"1.6.0"}
filebeat[141777]: Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module logstash is configured but has no enabled filesets
systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: filebeat.service: Failed with result 'exit-code'.

Configurations

# cat /etc/filebeat/modules.d/fortinet.yml
- module: fortinet
  firewall:
    enabled: true
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9004
    #var.internal_interfaces: [ "LAN" ]
    #var.external_interfaces: [ "WAN" ]

  clientendpoint:
    enabled: false

  fortimail:
    enabled: false

  fortimanager:
    enabled: false
     var.input: udp
     var.syslog_host: 0.0.0.0
     var.syslog_port: 9530
#

# filebeat modules list
Enabled:
fortinet
logstash
...
#

# grep -b3 -a3 output /etc/filebeat/filebeat.yml
1473-setup.kibana:
1487-  host: "192.168.1.227:5601"
1516-
1517:output.elasticsearch:
1539-    hosts: ["192.168.1.227:9200"]
1573-    username: "elastic"
1597-    password: "xxxxxxxxxxxxx"
1681-
1682-# =================================== Logstash ===================================
1765:output.logstash:
1782-      hosts: ["192.168.1.227:5044"]
1818-
#

# grep module /etc/filebeat/filebeat.yml
# ============================== Filebeat modules ==============================
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
#

ibra_013 · May 17, 2022, 9:12pm

Hi @doublejz

Disable Logstash module and try again.

system · June 14, 2022, 11:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.