Winfilebeat - Collector Config error

I am trying to get winfilebeat working for some DNS logs and I am oh-so-close. Google-FU not working well. Here is the Collector Config I built: EDIT/NOTE: There are default configurations that come up for all collectors EXCEPT winFileBeat…

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
    - type: log
    paths:
      - C:\Windows\Logs\DNSServer\dns.log
path:
  data: C:\Program Files\Graylog\sidecar\cache\winfilebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

output.logstash:
   hosts: ["${user.BeatsInput}"]

But I get an error on the client in the beats log:

level=error msg="[winFileBeat] Validation command output: Exiting: error loading config file: yaml: line 14: did not find expected '-' indicator\n"

I have searched in Graylog docs, Elastic docs and googled the internet for a day but can’t find a basic windows framework to work from. I referenced the linux one here: Graylog Sidecar config pic

I expect that I missed something simple - happens to me all the time.

The Winlogbeat portion is feeding standard logfiles over fine so I know basic stuff is configured correctly… here is the client side yml just in case

server_url: http://192.168.2.218:9000/api/
server_api_token: "gobbleDgook" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml

I am not sure why my GL server doesn’t have a default winFileBeat configuration. Could someone start a new collector configuration (GL3.0) change it to winFileBeat and paste up the default configuration code for me?

I don’t think it’s just you. I am having the same problem trying to get a Winbeat/Filebeat config built.
My four options are:

1. filebeat on Linux
2. nxlog on Linux
3. nxlog on Windows
4. winlogbeat on Windows

If it helps, here is my process to where I am stuck.

Here is what I have in screen shots - under Sidecar Configuration I created a new Log Collector:

GL%20Filebeat%20Log%20Collector976×741 47.9 KB

Then created a new Collector Configuration

GL%20Filebeat%20Collector%20Config-DNS806×664 49.6 KB

Then I apply it:

GL%20Filebeat%20Collector%20Config-DNS-Apply801×209 17.5 KB

It fails to start with the following error (shows on server and in client log):

Exiting: error loading config file: yaml: line 14: did not find expected ‘-’ indicator

Even looking ofer docs at Elastic, it’s not clear what it is expecting.

Solved - Below is a working winFileBeat config: (Thanks @jforster)

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${user.BeatsInput}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
filebeat:
  inputs:
    - type: log
      paths:
        - C:\Users\GL-Testor\testing.log

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.