Exiting: error loading config file: yaml: line 2: did not find expected node content

[leogoldim]

Hi,

I'm getting the error:

Exiting: error loading config file: yaml: line 2: did not find expected node content

When I try to start the o365beat.

# o365beat --path.config /etc/o365beat -c o365beat.yml -e -d "*" --strict.perms=false

o365beat:
  tenant_domain: company.onmicrosoft.com
  client_secret: {secret}
  client_id:     {id}  # aka application id (GUID)
  directory_id:  {id}  # aka tenant id (GUID)
  registry_file_path: /etc/o365beat/o365beat.state
  content_types:
    - Audit.AzureActiveDirectory
    - Audit.Exchange
    - Audit.SharePoint
    - Audit.General
processors:
  - add_fields:
    fields:
      tenant: {company}
  - dissect:
      field: ClientIP
      tokenizer: '[%{clientip}]:%{clientport}'
      when:
        contains:
          ClientIP: '['
  - dissect:
      field: ClientIP
      tokenizer: '%{clientip}:%{clientport}'
      when:
        contains:
          ClientIP: ':'
        not:
          contains:
            ClientIP: '['
  - convert:
      fields:
        - {from: Id, to: 'event.id', type: string}                # ecs core
        - {from: RecordType, to: 'event.code', type: string}      # ecs extended
        - {from: Operation, to: 'event.action', type: string}     # ecs core
        - {from: OrganizationId, to: 'cloud.account.id', type: string} # ecs extended
        - {from: Workload, to: 'event.category', type: string}    # ecs core
        - {from: ResultStatus, to: 'event.outcome', type: string} # ecs extended
        - {from: UserId, to: 'user.id', type: string}             # ecs core
        - {from: ClientIP, to: 'client.ip', type: ip}             # ecs core
        - {from: 'dissect.clientip', to: 'client.ip', type: ip}   # ecs core
        - {from: Parameters, type: string}                        # no ecs mapping
        - {from: ExtendedProperties, type: string}                # no ecs mapping
        - {from: ModifiedProperties, type: string}                # no ecs mapping
      ignore_missing: true
      fail_on_error: false
      mode: copy # default
fields:
  tenant: {company}
setup.kibana:
cloud.id: "{clusterId}"
cloud.auth: "{clusterAuth}"

[chris-counteractive]

Thanks for the issue! Looks like this is an issue with yaml indentation. You have:

processors:
  - add_fields:
    fields:
      tenant: {company}

instead you need:

processors:
  - add_fields:
      fields:
        tenant: {company}

Note the extra indentation for the fields tree. This is tricky with yaml, it happens all the time. See the add_fields processor docs for another few examples. Let me know if this fixes things for you, and we can close the issue. Otherwise we can dig a bit deeper. Thanks again!

[leogoldim]

Hi @chris-counteractive,

thank you for the quick feedback.

I fixed the indentation, but I got the same error.

[chris-counteractive]

Hmm. Okay, I noticed another issue in the config you posted, not sure if it's the cause, but worth eliminating: you have a standalone fields section at the bottom, which might be a copy-paste error ... I don't think that's meaningful outside an add_fields processor. I don't think it should cause problems, but it's a complicating factor and not necessary.

The only other thing that comes to mind is that your beat could still be reading the uncorrected config. You can export the config to test with o365beat export config and check whether it's the one you corrected.

You can also run your config through a yaml-to-json converter and check for any un-desired "null" values, which can indicate an indentation issue. If it still has issues, could you re-post the latest redacted config so we're looking at the same thing? Thanks!

[leogoldim]

Hi, after test my config file with a yaml-to-json tool I realized that my secret had a character ("]") that broke the yaml syntax. I generated a new one and it's working now.

[chris-counteractive]

I'm glad you were able to solve your issue, thanks for following up. Yaml is tricky, for sure - in the future you can also avoid some of those edge cases by enclosing strings in single or double quotes:

client_secret: 'this_is_my-(wacky)-[secret]!@#'

Or by pulling your secrets from the environment or a keystore. Thanks again!