I am trying to set up syslogging from a nexus switch to feed into Filebeat's Cisco module that would then feed into Elasticsearch. I tend to get the same error message after enabling the cisco module and running this from powershell ./filebeat.exe setup -e. The version of Elasticsearch, Kibana and Filebeat are all 8.9.0.
Filebeat is able to connect to Elasticsearch but here is the error I keep getting which seems to terminate the Filebeat service:
{"log.level":"error","@timestamp":"2023-09-26T09:56:05.655-0700","log.origin":
{"file.name":"cfgfile/reload.go","file.line":270},"message":"Error loading config from file 'C:\Program
Files\Filebeat-8.9.0-CISCO\modules.d\cisco.yml', **error invalid config: yaml: line 102: did not find expected
key","service.name":"filebeat","ecs.version":"1.6.0"}**
Here is the cisco.yml file from the modules.d folder:
Starts on line 99.
nexus:
enabled: true
# Set which input to use between udp (default), tcp or file.
var.input: udp
var.syslog_host: 10.0.0.83
var.syslog_port: 9004
# Set paths for the log files when file input is used.
# var.paths:
# Toggle output of non-ECS fields (default true).
# var.rsa_fields: true
# Set custom timezone offset.
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local`
Line 102 is the "Set which input to use between udp, tcp or file". It has been confirmed data is being sent but when I start the Filebeat service with the cisco module enabled, the filebeat service starts for a few seconds and then stops. When I turned off the cisco module and started the Filebeat service, it ran just fine with no issues.
Not sure why I keep getting the error, been stuck on this for a while.
I have reviewed the cisco.yml config file countless time, changed the var.syslog_host to 0.0.0., I changed the protocol from udp to tcp and then changed it back. I tried a slightly newer version(Filebeat 8.9.2) but got the sane error. Please help.
As YAML is a very picky format, you first need to make sure to remove the initial spaces on the uncommented lines.
# Set which input to use between udp (default), tcp or file.
var.input: udp
var.syslog_host: 10.0.0.83
var.syslog_port: 9004
^
|
here