Environment:
- Elastic Agent: 9.1.10 (build: 45f734)
- OS: Windows Server 2022
- Mode: Standalone (no Fleet)
Problem:
Setting agent.logging.to_eventlog: true in elastic-agent.yml causes agent to fail on startup with:
elastic-agent.exe run failed: failed to create logger: error initializing logging: failed to build log output: appName cannot be empty
Steps to reproduce:
- Install agent as Windows service:
.\elastic-agent.exe install
- Set in
elastic-agent.yml:
agent.logging.level: info
agent.logging.to_eventlog: true
agent.logging.to_files: false
- Start service via
services.msc→ agent fails immediately with the error above.
The Event Log source IS registered. Confirmed by PowerShell:
PS C:\Windows\system32> New-EventLog -LogName Application -Source "Elastic Agent"
New-EventLog : The "Elastic Agent" source is already registered on the "localhost" computer.
So the Windows Event Log source exists — but the agent still fails with appName cannot be empty.
Workaround:
Use file logging instead:
agent.logging.to_eventlog: false
agent.logging.to_files: true
agent.logging.files:
path: 'C:\ProgramData\Elastic\Agent\logs'
name: elastic-agent
keepfiles: 7
Question:
Is there any way to make `to_eventlog: true` work with standalone Elastic Agent on Windows Server 2022? Or is this a known bug?
Any workaround other than file logging would be appreciated.