Correct way to Start and Stop Winlogbeat with Powershell

JKCode · September 21, 2018, 10:04am

Hi All,
Newbie Alert!!
I have been facing issues using Winlogbeats to ship localhost logs (application, system, security, etc.) to Elasticsearch.
I have been following the instructions in the documentation, however, I am ONLY able to start the logs shipping to ES with the following command:

PS> .\winlogbeat.exe -c .\winlogbeat.yml -e

This displays DEBUG, INFO etc in the terminal window while operational and the only way for me to stop it is with Ctrl C. This is causing my logs to get corrupted and they cannot be viewed in Windows Event Viewer after Force Stopping Winlgbearts.

The Start-Service winlogbeat command does not initiate logs shipping to ES either.

Request please provide me with link to the correct procedures to Start and Stop the WInlogbeats Service on WInodws 10 using Powershell; or elaborate on the correct procedures here.

Any help is much appreciated!

Thanks in advance!

Regards,
Juneid

JKCode · September 26, 2018, 7:49am

Hi All,

I am posting again just to check if this query is irrelevant as there has been no response.

I have been told that my Seniors in Development that Windows log corruption is occurring due to Winlogbeat remaining latched to the logs which render them not viewable in Event Viewer (as corrupted) and irretrievable. This is due to the abrupt shutdown command with Ctrl C.

Any info / guidance is appreciated.

Thanks and Regards

Juneid

dedemorton · September 28, 2018, 6:23am

If you followed the steps in the getting started docs to install the service, you should be able to start the service with Start-Service winlogbeat and stop it with Stop-Service winlogbeat.

I just pulled down and installed the latest version of the stack, installed the service, and started the service without issues. I'd suggest getting the default configuration working before you modify the configuration.

dedemorton · September 28, 2018, 6:25am

Also see the docs about starting and stopping the service.

JKCode · September 30, 2018, 7:14am

Thank you for the response @dedemorton. Shall attempt this again and update.

Regards,
JK

JKCode · September 30, 2018, 8:17am

Hi All,

My mistake with this was, redirecting myself to links within the documentation which was the cause of my confusion.

I would recommend new users to stick to the process steps in the documentation to specifically setup, basic configuration and starting the beat, before exploring other links within the documentation.

I suppose Windows users should be running commands in the following order:

Setup:

Install
PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat' PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
Proceed to configure winlogbeat.yml file= basic
a. Applications
b. Output
Load Kibana Dashboards
Start Winlogbeat
PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Stop Winlogbeat
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat

Cheers!
JK

system · October 28, 2018, 10:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.