Error 1053: “The service did not respond in a timely fashion” when attempting to start winlogbeat service with MSI package

I have just started working with Winlogbeat as a forwarder to Graylog (Logstash). I was able to get this working perfectly fine with the .zip file.

In order to simplify the deployment, I wanted to use the .msi file, and simply copy across a known winlogbeat.yaml file - likely as part of a login script or otherwise.

While the config checks out perfectly ok and I can run .\winlogbeat.exe -e and I see logs being sent to Graylog, however no matter what I do the Windows service will not start in order for this to be run as a system process.

Has anybody found a resolution for this? I have tested on Windows 2019 and Windows 10 - exactly the same error. I have also tested versions 7.9.0 and 7.10.0 - both send logs, but neither can start the service

Some further info. I ran the command that is listed with the service under services.msc and below is the output:

PS C:\Program Files\Elastic\Beats\7.9.0\winlogbeat> "C:\Program Files\Elastic\Beats\7.9.0\winlogbeat\winlogbeat.exe"  --path.home "C:\Program Files\Elastic\Beats\7.9.0\winlogbeat" --path.config "C:\ProgramData\Elastic\Beats\winlogbeat" --path.data "C:\ProgramData\Elastic\Beats\winlogbeat\data" --path.logs "C:\ProgramData\Elastic\Beats\winlogbeat\logs" -E logging.files.redirect_stderr=true -c "C:\Program Files\Elastic\Beats\7.9.0\winlogbeat\winlogbeat.yml"
At line:1 char:69
+ ... s\Elastic\Beats\7.9.0\winlogbeat\winlogbeat.exe"  --path.home "C:\Pro ...
+                                                         ~~~~~~~~~
Unexpected token 'path.home' in expression or statement.
At line:1 char:1
+ "C:\Program Files\Elastic\Beats\7.9.0\winlogbeat\winlogbeat.exe"  --p ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The '--' operator works only on variables or on properties.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

@mackov83, do you see any information about this in the Event Viewer or in the winlogbeat logs?
Also, the error you get while running the command is due to the -- expression, maybe replace it with -path..

When I try to start the Elastic Winlogbeat 7.x service, event viewer shows:

The Elastic Winlogbeat 7.10.0 service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.

I assume the Winlogbeat service would first need to start before log files are going to generated??

I took the command that I ran directly from the properties of the 'Elastic Winlogbeat 7.10.0' Windows service. As far as I know this is the command that will be run when the service is started.

With regards to syntax - vs --, it didn't work (as expected). Below is the output from the help related to Winlogbeat.exe - note the syntax for --path.x:

PS C:\Program Files\Elastic\Beats\7.10.0\winlogbeat> .\winlogbeat.exe --help
Usage:
  winlogbeat [flags]
  winlogbeat [command]

Available Commands:
  enroll      Enroll in Kibana for Central Management
  export      Export current config or index template
  help        Help about any command
  keystore    Manage secrets keystore
  run         Run winlogbeat
  setup       Setup index template, dashboards and ML jobs
  test        Test config
  version     Show current version info

Flags:
  -E, --E setting=value              Configuration overwrite
  -N, --N                            Disable actual publishing for testing
  -c, --c string                     Configuration file, relative to path.config (default "winlogbeat.yml")
      --cpuprofile string            Write cpu profile to file
  -d, --d string                     Enable certain debug selectors
  -e, --e                            Log to stderr and disable syslog/file output
      --environment environmentVar   set environment being ran in (default default)
  -h, --help                         help for winlogbeat
      --httpprof string              Start pprof http server
      --memprofile string            Write memory profile to this file
      --path.config string           Configuration path
      --path.data string             Data path
      --path.home string             Home path
      --path.logs string             Logs path
      --strict.perms                 Strict permission checking on config files (default true)
  -v, --v                            Log at INFO level

Hi, I have figured out the issue by using CMD instead of PowerShell:

C:\Users\user>"C:\Program Files\Elastic\Beats\7.10.0\winlogbeat\winlogbeat.exe"  --path.home "C:\Program Files\Elastic\Beats\7.10.0\winlogbeat" --path.config "C:\ProgramData\Elastic\Beats\winlogbeat" --path.data "C:\ProgramData\Elastic\Beats\winlogbeat\data" --path.logs "C:\ProgramData\Elastic\Beats\winlogbeat\logs" -E logging.files.redirect_stderr=true
Exiting: error loading config file: open C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml: The system cannot find the file specified.

Originally I had copied the winglogbeat.yaml into the Program Files path instead of the ProgramData path.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.