I upgraded my Elastic Stack on Windows from 7.17.0 to 8.0. I installed both metricbeat and winlogbeat 8.0 using the .msi files. Metricbeat runs fine. I cannot get winlogbeat to start. Winlogbeat fails because it cannot find a security related path (because it doesn't exist). See error message below.
PS C:\Program Files\Elastic\Beats\8.0.0\winlogbeat> .\winlogbeat.exe -c C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml test config
.\winlogbeat.exe : Exiting: failed to create new event log: failed in processor.javascript: failed to open file C:\Program Files\Elastic\Beats\8.0.0\winlogbeat/module/security/config/winlogbeat-security.js: open C:\Program
Files\Elastic\Beats\8.0.0\winlogbeat/module/security/config/winlogbeat-security.js: The system cannot find the path specified.
At line:1 char:1
+ .\winlogbeat.exe -c C:\ProgramData\Elastic\Beats\winlogbeat\winlogbea ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Exiting: failed...path specified.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
On my system after the winlogbeat installation I only have the C:\Program Files\Elastic\Beats\8.0.0\winlogbeat\module\security portion of the path. The remaining portion of the path /config and the winlogbeat-security.js file don't exist.
As part of the winlogbeat installation, I create a keystore and save the password for the Elasticsearch admin account, which I created as part of the Elasticsearch installation.
Below are what I believe to be relevant parts of my winlogbeat.yml file.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "admin"
password: "${elasticsearch-admin.password}"
ssl.verification_mode: none
#============================== X-Pack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
monitoring.enabled: true
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
monitoring.elasticsearch:
hosts: [ "https://localhost:9200" ]
username: admin
password: "${elasticsearch-admin.password}"
ssl.verification_mode: none
I am at a loss as to what is going on and cannot find where anyone else is having this issue.