I struggle to create a working filebeat configuration for Windows.
The configuration of the sidcar is:
# Needed for Graylog
fields_under_root: false
fields.collector_node_id: {sidecar.nodeName}
fields.gl2_source_collector: {sidecar.nodeId}
Once deployed to Windows I get the error:
Error Details for filebeat_win
Exiting: error loading config file: open C:\Program: Das System kann die angeebene Datei nicht finden.
What might be the error her. Winlogbeat runs fine on the same system.
Graylog: 3.0.1
ES: 6.7.1
yes, I tried this, but I still get the same error message.
I my effort to do more debugging I found out, that the sidecar says in the sidecar.log:
time="2019-04-17T13:48:15+02:00" level=info msg="[filebeat_win] Configuration change detected, rewriting configuration file."
time="2019-04-17T13:48:15+02:00" level=error msg="[filebeat_win] Collector configuration file is not valid, waiting for the next update."
time="2019-04-17T13:48:15+02:00" level=error msg="[filebeat_win] Validation command output: Exiting: error loading config file: open C:\\Program: Das System kann die angegebene Datei nicht finden.\n"
But when I test the filebeat config directly I get this:
C:\Program Files\Graylog\sidecar>filebeat.exe test config -c generated\filebeat_win.conf
Config OK
That’s somehow strange. Filebeat tells me the configuration is ok, but sidecar tells me the configuration is broken.
Do you know which setting ist correkt for “Process Management” for filebeat?
Is it “foreground execution” or “Windows service”?
thanks for the hint. But somehow sidecar itself can’t find the filebeat configuration file. I am using Sidecar 1.0.1.
If I run filebeat from the command line, it works and I receive messages in Graylog like expected: C:\Program Files\Graylog\sidecar>filebeat.exe -c "C:\\Program Files\\Graylog\\sidecar\\generated\\filebeat_win.conf"
But wiht sidecart I get always the error. I checked all the quotes, they are all right.
Therefore I uncommented in sidecar.yml the line: collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"
But without success. Still, sidecar can’t find the filebeat config file.
By the way, winlogbeat works fine on the same windows machine.
thanks for your help.
I tried with quotes, but the error still is the same.
What puzzles me is, that in the winlogbeat.conf it works without quotes.
Secondly the filebeat test config command returns “Syntax OK” like I wrote in a previous message.
So, obviously the sidecar config check returns an error, but the filebeat config check returns a “Syntax OK”.
So, may be, I have a problem with the sidecar.yml configuration.
In the sidecar.yml I defined configuration directory with this line:
collector_configuration_directory: “C:\Program Files\Graylog\sidecar\generated”
Is it possible, that the sidecar configuration check is getting something wrong here?
How can I debug further the sidecar?
Hey Dietmar,
because the validation command is obviously not working could you please share the setting “Parameters for Configuration Validation” in the “Log Collectors” section for both beats?
It should be: test config -c “%s”
So the path to the configuration file is quoted there as well.
thanks for the hint. I am now out of office. Next week I will be back and will check the mentioned setting.
But I simply copied the setting from winlogbeat. May be that was wrong.
yes, looks like this solves the problem.
The parameter for config validation was: test config -c %s
because I simply copied it from the filebeat for Linux Collector configuration.
With quotes it works!!
May be you can improve the documentation, so the difference between Linux and Windows in the Log Collector configuration is obvious.
