2nd Winlogbeat Install same as the first...this one doesn't work

JustTheDr · August 2, 2018, 12:45pm

I installed a Winlogbeat on my Windows 10 PC and everything was zen. I installed another on a Windows Server 2012 R2 Server and followed the same steps. I copied the contents of the winlogbeat.yml file from my first install on my PC since I had it configured already, overtop the contents of the default file I had on the server. Why re-invent the wheel right? And it is working on my PC sending data to my ElasticSearch server.

On the new server install, when I try to run the test config command I get an error. The service will also not start. I get an Error 1053: "The service did not respond to the start or control request in a timely fashion."

exekias · August 2, 2018, 1:21pm

Can you post your config? This error sounds like a copy/paste error, maybe because of wrong indentation.

Best regards

JustTheDr · August 2, 2018, 1:51pm

I have trimmed out the commented code for clarity's sake. It produces the same error, though except it references line 6 rather line 22.

#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: Security
ignore_older: 24h
name: System
ignore_older: 24h

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3

#============================== Kibana =====================================

#- Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
#- This requires a Kibana endpoint configuration.

setup.kibana:

#- Kibana Host

host: "10.1.0.248:5601"

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

#- Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]

exekias · August 2, 2018, 1:55pm

can you please use the preformatted text button? Indentation gets mangled by Discuss if not

JustTheDr · August 2, 2018, 2:42pm

#======================= Winlogbeat specific options ==========================


winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 24h
- name: System
ignore_older: 24h

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3


#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

# Kibana Host
host: "10.1.0.248:5601"



#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.1.0.248:9200"]

andrewkroh · August 2, 2018, 2:55pm

That's not valid YAML. Try your config at http://www.yamllint.com/.

Move the ignore_older keys over by two spaces so that they are at the same level as the event log name with which they are associated.

winlogbeat.event_logs:
- name: Application
  ignore_older: 72h
- name: Security
  ignore_older: 24h
- name: System
  ignore_older: 24h

JustTheDr · August 2, 2018, 7:26pm

Wow. I didn't realize that yaml was so touchy when it came to indentation. Thanks for your help!

system · August 30, 2018, 7:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.