Beats 8.13.1 services won't start due to quoting issues

In reference to:

It looks like the MSI installers now support passing INSTALLDIR...but it looks like the beats don't handle quoting properly and cause services to fail to start.

Just tried to install Auditbeat, Metricbeat, and Winlogbeat 8.13.1 and all the services fail to start.

Copying the start string from the services throws errors showing quotes in the wrong spots.

Removing the quotes allows the beats to start up properly.

I should note that his issue might occur in other beat versions. We're upgrading from 8.11.1 to 8.13.1.

Confirmed that removing the quotes from:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlogbeat\ImagePath

Allows the services to start up properly. This won't help people who have installed to paths containing spaces (i.e. "c:\Program Files")

Can you please share what you passed to InstallDir? Preferably the full msiexec command?

msiexec /i https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-8.13.1-windows-x86_64.msi INSTALLDIR=c:\beats\winlogbeat\ /qn /norestart

I tried quoting it as well (INSTALLDIR="c:\beats\winlogbeat") and still ran into problems.

Thanks for reporting this, we'll work on a fix shortly.

If you have the ability to run a command after the install you can workaround this issue by running sc to modify the binpath:

sc config winlogbeat binpath= "\"C:\Program Files\Elastic\Beats\8.13.2\winlogbeat\winlogbeat.exe\" --path.home \"C:\Program Files\Elastic\Beats\8.13.2\winlogbeat\" --path.config \"C:\Program Files\Elastic\Beats\8.13.2\winlogbeat\" --path.data \"C:\Program Files\Elastic\Beats\8.13.2\winlogbeat\data\" --path.logs \"C:\Program Files\Elastic\Beats\8.13.2\winlogbeat\logs\" -E logging.files.redirect_stderr=true"

Changing the paths to match your custom path

1 Like

You can follow the fix here: Remove trailing slash and store data and logs in subfolders by strawgate · Pull Request #264 · elastic/elastic-stack-installers · GitHub

No worries--we use saltstack for deployment. We already pushed out updated registry keys as a work-around.