Windows sidecar filebeat 'exiting: no modules or inputs enabled'

Dear Graylog Community,

The version of Graylog we are using is 3.1.3
The version of Sidecar we are using is 1.0.2-1 for Windows.

I’ve set up sidecar filebeat collector on a windows server and would like to push aggregated .evtx log files into Graylog.
I’ve configured a filebeat with the following yml file.

Needed for Graylog

fields_under_root: true
fields.collector_node_id: {sidecar.nodeName} fields.gl2_source_collector: {sidecar.nodeId}

output.logstash:
hosts: [“192.168.1.1:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

  • windows
    filebeat.inputs:
    type: log
    enabled: true
    paths:
    • ‘E:\EventForwarded*.evtx’

filebeat.prospectors:

  • type: log
  • enabled: true
    paths:
    • ‘E:\EventForwarded*.evtx’

I am getting an error message of “Backend finished unexpectedly, sending restart signal”
The collector status in graylog is ‘collector is running’
Within the Log files section of the ‘Sidecar windows_collector status’ screen, (see attached screenshot)

it lists out all the logs but no messages are being sent to the graylog server.
Any help would be appreciated.

Hi there, is that host the correct Graylog server? 192.168.1.1 ?

Dear Luis,
It is not. The address is 10.18.172.21.

I’ve made the correction but the error message persists.

It would help if you used the formatting buttons in your post…

It appears you are using the filebeat.inputs then repeating yourself with the older method of filebeat.prospectors. Take out the prospectors instance.

Thank you. Formatted for readability. :smiley:

I took out the prospectors section but, the error still persists.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}


output.logstash:
   hosts: ["10.18.172.21:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
  
tags:
 - windows consolidated
filebeat.inputs:
  type: log
  enabled: true
  paths:
    - 'E:\EventForwarded\*.evtx'

The filebeat log is as follows:

2019-11-13T16:33:21.547+0100	INFO	instance/beat.go:544	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\filebeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2019-11-13T16:33:21.607+0100	INFO	instance/beat.go:551	Beat UUID: 966d8faa-f577-47af-9b29-30b89fb973b0
2019-11-13T16:33:21.608+0100	INFO	[beat]	instance/beat.go:768	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "filebeat", "uuid": "966d8faa-f577-47af-9b29-30b89fb973b0"}}}
2019-11-13T16:33:21.609+0100	INFO	[beat]	instance/beat.go:777	Build info	{"system_info": {"build": {"commit": "e193f6d68b25b7ddbe3a3ed8d60bc07fea1ef800", "libbeat": "6.4.2", "time": "2018-09-26T12:41:59.000Z", "version": "6.4.2"}}}
2019-11-13T16:33:21.609+0100	INFO	[beat]	instance/beat.go:780	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.10.3"}}}
2019-11-13T16:33:21.649+0100	INFO	[beat]	instance/beat.go:784	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-11-08T14:23:23.75+01:00","hostname":"rtce-collect","ips":["fe80::699b:f285:21ab:294d/64","10.18.221.139/24","::1/128","127.0.0.1/8","fe80::5efe:a12:dd8b/128"],"kernel_version":"10.0.14393.3297 (rs1_release_1.191001-1045)","mac_addresses":["00:50:56:9a:b3:e3","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.3300"},"timezone":"CET","timezone_offset_sec":3600,"id":"7a6f621e-11d3-4faf-9342-6beec53f41e2"}}}
2019-11-13T16:33:21.650+0100	INFO	instance/beat.go:273	Setup Beat: filebeat; Version: 6.4.2
2019-11-13T16:33:21.656+0100	INFO	pipeline/module.go:98	Beat name: rtce-collect
2019-11-13T16:33:21.658+0100	ERROR	instance/beat.go:743	Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?

Two things I noticed (now that the formatting is in… :yum:) Not sure if it will fix it…

tags are comma separated so it should be:

tags:
 - windows, consolidated

And you do not need quotes on the file path

  paths:
- E:\EventForwarded\*.evtx

I still get this error. All I want to do is to have the filebeat read all the logs in a directory and push them to graylog for indexing. Any help would be appreciated.

2019-11-13T16:59:45.909+0100 ERROR instance/beat.go:743 Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?

tags:
 - windows, consolidated
filebeat.inputs:
  type: log
  enabled: true
  paths:
    - E:\EventForwarded\*.evtx

oooh … here is another thing I missed… You also need a dash in front of type:

filebeat:
  inputs:
    - type: log
      enabled: true

Fingers crossed that’s it! Below is a working filebeat I use for watching Owa… hopefully it will help too:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${user.BeatsInput}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, exchange, filebeat, OWA, e-mail
filebeat:
  inputs:
    - type: log
      enabled: true
      # find owa logon and logoff but not when the HealthMailbox does it.
      include_lines: ['auth.owa', 'logoff.owa']
      exclude_lines: ['HealthMailbox','^#']
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.LOG

Fixed. I had to indent properly with spaces.

Thanks again tmacgbay!

1 Like

Funny that it is sensitive about indentation!! Glad it works!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.