2nd Winlogbeat Install same as the first...this one doesn't work

I installed a Winlogbeat on my Windows 10 PC and everything was zen. I installed another on a Windows Server 2012 R2 Server and followed the same steps. I copied the contents of the winlogbeat.yml file from my first install on my PC since I had it configured already, overtop the contents of the default file I had on the server. Why re-invent the wheel right? And it is working on my PC sending data to my ElasticSearch server.

On the new server install, when I try to run the test config command I get an error. The service will also not start. I get an Error 1053: "The service did not respond to the start or control request in a timely fashion."

Can you post your config? This error sounds like a copy/paste error, maybe because of wrong indentation.

Best regards

I have trimmed out the commented code for clarity's sake. It produces the same error, though except it references line 6 rather line 22.

#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h
  • name: Security
    ignore_older: 24h
  • name: System
    ignore_older: 24h

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3

#============================== Kibana =====================================

#- Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
#- This requires a Kibana endpoint configuration.

setup.kibana:

#- Kibana Host

host: "10.1.0.248:5601"

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

#- Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]

can you please use the preformatted text button? Indentation gets mangled by Discuss if not

#======================= Winlogbeat specific options ==========================


winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 24h
- name: System
ignore_older: 24h

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3


#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

# Kibana Host
host: "10.1.0.248:5601"



#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]

That's not valid YAML. Try your config at http://www.yamllint.com/.

Move the ignore_older keys over by two spaces so that they are at the same level as the event log name with which they are associated.

winlogbeat.event_logs:
- name: Application
  ignore_older: 72h
- name: Security
  ignore_older: 24h
- name: System
  ignore_older: 24h

Wow. I didn't realize that yaml was so touchy when it came to indentation. Thanks for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.