Packetbeat refuses to start - yaml error


(Tim Dunphy) #1

Hey guys,

I've had a decent set of beats configs distributed by puppet and running well for oh about a month at this point. When suddenly packetbeat as of yesterday stopped functioning. There were know known changes. Must be solar winds or something.

Anyway, when I stopped puppet on one of the hosts and ran packetbeat manually it refused to start. I tried starting it with the service first. Then completely manually after that failed.

This is what I got when I tried it manually:

[root@web1:~] #/usr/bin/packetbeat -c /etc/packetbeat/packetbeat.yml
Loading config file error: YAML config parsing failed on /etc/packetbeat/packetbeat.yml: yaml: unmarshal errors:
  line 20: cannot unmarshal !!seq into outputs.MothershipConfig
  line 21: cannot unmarshal !!str `http` into outputs.MothershipConfig
  line 22: cannot unmarshal !!str `admin` into outputs.MothershipConfig
  line 23: cannot unmarshal !!str `secretpass` into outputs.MothershipConfig
  line 24: cannot unmarshal !!str `packetb...` into outputs.MothershipConfig. Exiting.

Odd so I tried parsing the file using some online yaml parsers. I tried parsing the config both here:

codebeautify.org

And here:

yaml-online-parser.appspot.com

And the file passed both times with both yaml parsers. Here's my config file that's generating the error:

interfaces:
  device: any
protocols:
  dns:
    ports: [53]
    include_authorities: true
    include_additionals: true
  http:
    ports: [80, 443, 5000]
  memcache:
    ports: [11211, 11212]
  mysql:
    ports: [3306]
  pgsql:
  redis:
  thrift:
    ports: [9042]
output:
    elasticsearch:
    hosts: ["logs.example.com:9200"]
    protocol: "http"
    username: "admin"
    password: “secret”
    index: "packetbeat-"
    tls:
      certificate_authorities: ["/etc/pki/CA/certs/ca.crt"]
shipper:
  tags: ["jokefire-dev", "web-tier"]
logging:

I can't figure out why this file is generating these errors. Any help here would be appreciated!!

Thanks


(Tudor Golubenco) #2

The settings under elasticsearch: need to be indented by one level more, like this:

interfaces:
  device: any
protocols:
  dns:
    ports: [53]
    include_authorities: true
    include_additionals: true
  http:
    ports: [80, 443, 5000]
  memcache:
    ports: [11211, 11212]
  mysql:
    ports: [3306]
  pgsql:
  redis:
  thrift:
    ports: [9042]
output:
    elasticsearch:
      hosts: ["logs.example.com:9200"]
      protocol: "http"
      username: "admin"
      password: “secret”
      index: "packetbeat-"
      tls:
        certificate_authorities: ["/etc/pki/CA/certs/ca.crt"]
shipper:
  tags: ["jokefire-dev", "web-tier"]
logging:

(Tim Dunphy) #3

@tudor Excellent!! Thanks!! It's working now. Appreciate the tip! :smiley:


(system) #4