Can't get Windows winlogbeat 8.0 to run- The system cannot find the path

eafrost.cissp · March 2, 2022, 7:49pm

I upgraded my Elastic Stack on Windows from 7.17.0 to 8.0. I installed both metricbeat and winlogbeat 8.0 using the .msi files. Metricbeat runs fine. I cannot get winlogbeat to start. Winlogbeat fails because it cannot find a security related path (because it doesn't exist). See error message below.

PS C:\Program Files\Elastic\Beats\8.0.0\winlogbeat> .\winlogbeat.exe -c C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml test config
.\winlogbeat.exe : Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\Program Files\Elastic\Beats\8.0.0\winlogbeat/module/security/config/winlogbeat-security.js: open C:\Program 
Files\Elastic\Beats\8.0.0\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified.
At line:1 char:1
+ .\winlogbeat.exe -c C:\ProgramData\Elastic\Beats\winlogbeat\winlogbea ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Exiting: failed...path specified.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

On my system after the winlogbeat installation I only have the C:\Program Files\Elastic\Beats\8.0.0\winlogbeat\module\security portion of the path. The remaining portion of the path /config and the winlogbeat-security.js file don't exist.

As part of the winlogbeat installation, I create a keystore and save the password for the Elasticsearch admin account, which I created as part of the Elasticsearch installation.

Below are what I believe to be relevant parts of my winlogbeat.yml file.


#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "admin"
  password: "${elasticsearch-admin.password}"

  ssl.verification_mode: none

#============================== X-Pack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
monitoring.elasticsearch:
  hosts: [ "https://localhost:9200" ]
  username: admin
  password: "${elasticsearch-admin.password}"
  ssl.verification_mode: none

I am at a loss as to what is going on and cannot find where anyone else is having this issue.

andrewkroh · March 2, 2022, 10:26pm

8.0 uses Ingest Node pipelines for parsing (this way we can keep Winlogbeat consistent with Elastic Agent). There are no more .js files for the script processors. So remove script processors and checkout the new module docs and also the default config that comes with 8.0.

Modules | Winlogbeat Reference [8.0] | Elastic

eafrost.cissp · March 3, 2022, 1:08pm

Brilliant. This will solve my issue. Yes, I was still using the old java script processor in my winlogbeat.yml file and wasn't aware of the change with 8.0.

#======================= Winlogbeat specific options ===========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:

  - name: Application
    ignore_older: 336h
    event_id: 1033, 1034, 11707, 11724

  - name: System
    ignore_older: 336h
    event_id: 20, 1074, 6006, 6008
    
  - name: Security
    ignore_older: 336h
    processors:
##
### Send all Security event log events
##
     - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
##

Now that you pointed me in the right direction, the problem is obvious. Thanks!

system · March 31, 2022, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.