Can't execute winlogbeat.exe

Hi,
I want to install winlogbeat in Windows 2016 Standard x64 with Winlogbeat 6.4.0 x64
When I execute the winlogbeat.exe to confirm the configuration file or anything, The console also response error in below.

what's happen in winlogbeat ? Thank a lot.

PS C:\Program Files\winlogbeat> .\winlogbeat.exe -e
Exception 0xc0000005 0x8 0x0 0x0
PC=0x0

runtime: unexpected return pc for runtime.asmstdcall called from 0x2820000
stack: frame={sp:0x262fd40, fp:0x262fd50} stack=[0x261ff98,0x262ff30)
000000000262fc40:  0000000002860018  000000000262fc78
000000000262fc50:  00000000004138c0 <runtime.heapBits.initSpan+256>  000000c041ffff00
000000000262fc60:  0000000000000100  0000000000000100
000000000262fc70:  0000000000002000  000000000262fcc0
000000000262fc80:  00000000004156e3 <runtime.(*mcentral).grow+243>  000000c041ffffff
000000000262fc90:  000000c000000000  0000000002824000
000000000262fca0:  0000000002824000  0000000000000020
000000000262fcb0:  0000000000000100  0000000000000000
000000000262fcc0:  000000000262fd08  00000000004150b4 <runtime.(*mcentral).cacheSpan+468>
000000000262fcd0:  0000000002824000  0000000000000000
000000000262fce0:  0000000000003000  0000000000000004
000000000262fcf0:  0000000000002000  0000000002824000
000000000262fd00:  0000000000411b66 <runtime.persistentalloc1+454>  000000000262fd38
000000000262fd10:  0000000000414d8a <runtime.(*mcache).refill+170>  00000000016a1c50
000000000262fd20:  0000000002824000  0000000000000023
000000000262fd30:  000000000169a540  000000000045c39e <runtime.asmstdcall+94>
000000000262fd40: <0000000000000020 !0000000002820000
000000000262fd50: >0000000000004023  000000000262fdb0
000000000262fd60:  00000000004107ad <runtime.(*mcache).nextFree+205>  0000000002824000
000000000262fd70:  0000000000000000  000000000262fdc0
000000000262fd80:  0000000000411979 <runtime.persistentalloc+137>  0000000000000023
000000000262fd90:  0000000002824000  0000000000455870 <runtime.(*mcache).nextFree.func1+0>
000000000262fda0:  0000000002820000  0000000000000023
000000000262fdb0:  000000000262fe50  0000000000410c63 <runtime.mallocgc+803>
000000000262fdc0:  000000000169add0  000000000045a147 <runtime.asmcgocall+183>
000000000262fdd0:  000000c042000000  0000000002824000
000000000262fde0:  000000000262fe01  0101000000411744
000000000262fdf0:  0000000000000000  000000000262fe18
000000000262fe00:  0000000000000000  0000000000000000
000000000262fe10:  000000000169aac0  000000000042b4c1 <runtime.stdcall+129>
000000000262fe20:  000000000045c340 <runtime.asmstdcall+0>  000000000169add0
000000000262fe30:  0000000000410206 <runtime.mallocinit+614>  000000000169aac0
000000000262fe40:  000000000262fe60  000000000042b5f7 <runtime.stdcall2+71>
runtime.asmstdcall(0x4023, 0x262fdb0, 0x4107ad, 0x2824000, 0x0, 0x262fdc0, 0x411979, 0x23, 0x2824000, 0x455870, ...)
        /usr/local/go/src/runtime/sys_windows_amd64.s:60 +0x5e fp=0x262fd50 sp=0x262fd40 pc=0x45c39e
rax     0x0
rbx     0x169add0
rcx     0x16bc160
rdi     0x2b7000
rsi     0x262fe78
rbp     0x262fe40
rsp     0x262fd38
r8      0x4303b1
r9      0x262feb8
r10     0xc042000000
r11     0x1
r12     0x40
r13     0x40
r14     0x0
r15     0x0
rip     0x0
rflags  0x10293
cs      0x33
fs      0x53
gs      0x2b
PS C:\Program Files\winlogbeat>

Could you please share your winlogbeat configuration formatted using </>?

FYI: I ran a quick sanity check by running both Winlogbeat 6.4.0 binaries (x86 and x86_64) on Windows Server 2016 Standard with the default configuration. No crashes observed.

1 Like

Can you also share the output of running with the -d "*" argument?

PS C:\Program Files\winlogbeat> .\winlogbeat.exe -e -d "*"

Hi Adrisr,

 This output result in below. thanks.

PS C:\Program Files\winlogbeat> .\winlogbeat.exe -e -d "*"
Exception 0xc0000005 0x8 0x0 0x0
PC=0x0

runtime: unexpected return pc for runtime.asmstdcall called from 0x2730000
stack: frame={sp:0x262fd40, fp:0x262fd50} stack=[0x261ff98,0x262ff30)
000000000262fc40:  0000000002980018  000000000262fc78
000000000262fc50:  00000000004138c0 <runtime.heapBits.initSpan+256>  000000c041ffff00
000000000262fc60:  0000000000000100  0000000000000100
000000000262fc70:  0000000000002000  000000000262fcc0
000000000262fc80:  00000000004156e3 <runtime.(*mcentral).grow+243>  000000c041ffffff
000000000262fc90:  000000c000000000  0000000002734000
000000000262fca0:  0000000002734000  0000000000000020
000000000262fcb0:  0000000000000100  0000000000000000
000000000262fcc0:  000000000262fd08  00000000004150b4 <runtime.(*mcentral).cacheSpan+468>
000000000262fcd0:  0000000002734000  0000000000000000
000000000262fce0:  0000000000003000  0000000000000004
000000000262fcf0:  0000000000002000  0000000002734000
000000000262fd00:  0000000000411b66 <runtime.persistentalloc1+454>  000000000262fd38
000000000262fd10:  0000000000414d8a <runtime.(*mcache).refill+170>  00000000016a1c50
000000000262fd20:  0000000002734000  0000000000000023
000000000262fd30:  000000000169a540  000000000045c39e <runtime.asmstdcall+94>
000000000262fd40: <0000000000000020 !0000000002730000
000000000262fd50: >0000000000004023  000000000262fdb0
000000000262fd60:  00000000004107ad <runtime.(*mcache).nextFree+205>  0000000002734000
000000000262fd70:  0000000000000000  000000000262fdc0
000000000262fd80:  0000000000411979 <runtime.persistentalloc+137>  0000000000000023
000000000262fd90:  0000000002734000  0000000000455870 <runtime.(*mcache).nextFree.func1+0>
000000000262fda0:  0000000002730000  0000000000000023
000000000262fdb0:  000000000262fe50  0000000000410c63 <runtime.mallocgc+803>
000000000262fdc0:  000000000169add0  000000000045a147 <runtime.asmcgocall+183>
000000000262fdd0:  000000c042000000  0000000002734000
000000000262fde0:  000000000262fe01  0101000000411744
000000000262fdf0:  0000000000000000  000000000262fe18
000000000262fe00:  0000000000000000  0000000000000000
000000000262fe10:  000000000169aac0  000000000042b4c1 <runtime.stdcall+129>
000000000262fe20:  000000000045c340 <runtime.asmstdcall+0>  000000000169add0
000000000262fe30:  0000000000410206 <runtime.mallocinit+614>  000000000169aac0
000000000262fe40:  000000000262fe60  000000000042b5f7 <runtime.stdcall2+71>
runtime.asmstdcall(0x4023, 0x262fdb0, 0x4107ad, 0x2734000, 0x0, 0x262fdc0, 0x411979, 0x23, 0x2734000, 0x455870, ...)
        /usr/local/go/src/runtime/sys_windows_amd64.s:60 +0x5e fp=0x262fd50 sp=0x262fd40 pc=0x45c39e
rax     0x0
rbx     0x169add0
rcx     0x16bc160
rdi     0x2a4000
rsi     0x262fe78
rbp     0x262fe40
rsp     0x262fd38
r8      0x4303b1
r9      0x262feb8
r10     0xc042000000
r11     0x1
r12     0x40
r13     0x40
r14     0x0
r15     0x0
rip     0x0
rflags  0x10293
cs      0x33
fs      0x53
gs      0x2b
PS C:\Program Files\winlogbeat>

Hi Kvch,
I guese that is not main reason in winlogbeat configuration, because just only running the winlogbeat.exe and get the errors. thanks

What do you mean exactly? Running .\winlogbeat.exe alone causes it to crash? This would still read in the config file even if not specified. Does .\winlogbeat.exe version crash (this won't read config)? I think it would be best to share what you have configured if you can.

It would be good to double check that download wasn't corrupt with Get-FileHash .\winlogbeat.exe | Format-List. For the .exe I get a sha256 sum of d1f28c68f0c32274c363a34d9205b5396da03e17d5365c2bea0ea8ea657312c4.

Is there anything special about this environment? Are you running any security tools like EMET? Just trying to find something that might help us reproduce it on our end.

Hi Andrewkroh,
I download the Winlogbeat 6.4.0 x64 version from website and unzip to "C:\Program File" folder. then i running the winlogbeat.exe in DOS mode, I not modify parameters in winlogbeat.yml, the winlogbeat.yml config in below.

it can get the sha256 sum

PS C:\Program Files\winlogbeat> Get-FileHash .\winlogbeat.exe | Format-List
Algorithm : SHA256
Hash      : D1F28C68F0C32274C363A34D9205B5396DA03E17D5365C2BEA0EA8EA657312C4
Path      : C:\Program Files\winlogbeat\winlogbeat.exe
PS C:\Program Files\winlogbeat>

Thanks.

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"

#============================= Elastic Cloud ==================================

# These settings simplify using winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== Xpack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#xpack.monitoring.enabled: false

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. Any setting that is not set is
# automatically inherited from the Elasticsearch output configuration, so if you
# have the Elasticsearch output configured, you can simply uncomment the
# following line.
#xpack.monitoring.elasticsearch:

Hi,
I still not know how to fix it. Anyone can get me suggestion or help?
Thanks.

We're still trying to reproduce the issue, with no luck.

Can you give us more information about the OS, exact version and build number, as well as installed software ?

Hi Adrisr,
Thank for your reply. If need any information about this server, please let me know, i will provide it.
I had install Winlogbeat in other Server with windows 2016 as wall. But just only this server have problems.

  OS: Windows Server 2016 Standard x64   (Version 1607 ,OS Build 14393.0)
  Winlogbeat : 6.4.0 x64 Bit

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.