JustTheDr
(Just The Dr)
August 2, 2018, 12:45pm
1
I installed a Winlogbeat on my Windows 10 PC and everything was zen. I installed another on a Windows Server 2012 R2 Server and followed the same steps. I copied the contents of the winlogbeat.yml file from my first install on my PC since I had it configured already, overtop the contents of the default file I had on the server. Why re-invent the wheel right? And it is working on my PC sending data to my ElasticSearch server.
On the new server install, when I try to run the test config command I get an error. The service will also not start. I get an Error 1053: "The service did not respond to the start or control request in a timely fashion."
exekias
(Carlos Pérez Aradros)
August 2, 2018, 1:21pm
2
Can you post your config? This error sounds like a copy/paste error, maybe because of wrong indentation.
Best regards
JustTheDr
(Just The Dr)
August 2, 2018, 1:51pm
3
I have trimmed out the commented code for clarity's sake. It produces the same error, though except it references line 6 rather line 22.
#======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
name: Application
ignore_older: 72h
name: Security
ignore_older: 24h
name: System
ignore_older: 24h
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#============================== Kibana =====================================
#- Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
#- This requires a Kibana endpoint configuration.
setup.kibana:
#- Kibana Host
host: "10.1.0.248:5601"
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
#- Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]
exekias
(Carlos Pérez Aradros)
August 2, 2018, 1:55pm
4
can you please use the preformatted text button? Indentation gets mangled by Discuss if not
JustTheDr
(Just The Dr)
August 2, 2018, 2:42pm
5
#======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 24h
- name: System
ignore_older: 24h
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 3
#============================== Kibana =====================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
host: "10.1.0.248:5601"
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]
That's not valid YAML. Try your config at http://www.yamllint.com/ .
Move the ignore_older
keys over by two spaces so that they are at the same level as the event log name
with which they are associated.
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 24h
- name: System
ignore_older: 24h
JustTheDr
(Just The Dr)
August 2, 2018, 7:26pm
7
Wow. I didn't realize that yaml was so touchy when it came to indentation. Thanks for your help!
system
(system)
Closed
August 30, 2018, 7:26pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.