Corrupt winlogbeat.yml checkpoint file

Elastic Stack Beats
1

I'm using 5.0.0-alpha4 and I noticed that on some users the service was not able to start up. The following error was in the log file:

2016-08-18T18:22:56-07:00 CRIT Exiting: yaml: control characters are not allowed

I noticed that the C:\ProgramData\winlogbeat\winlogbeat.yml file was blank with all zeroes.

# xxd winlogbeat.yml
0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

Is this a known problem?

2

Was there any sort of machine failure or power outage?

3

There was one similar report. See Winlogbeat v5 fail to start after upgrade

4

That's hard to tell. They're just client laptop systems, they could have ran out of battery, crashed, been shut down, lid closed etc. No way of knowing with users :wink:

5

Perhaps that error ("control characters are not allowed") can be caught and the file wiped out and a new one created.

6

About how many systems have been affected by the problem so far?

7

About 40 out of a few hundred.

8

Could you please open a new Github issue for this and we'll see what we can do to mitigate the problem. It sounds pretty serious if it's happening on a ~40 machines. Thanks!

1 Like
9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.