I have just started working with Winlogbeat as a forwarder to Graylog (Logstash). I was able to get this working perfectly fine with the .zip file.
In order to simplify the deployment, I wanted to use the .msi file, and simply copy across a known winlogbeat.yaml file - likely as part of a login script or otherwise.
While the config checks out perfectly ok and I can run .\winlogbeat.exe -e and I see logs being sent to Graylog, however no matter what I do the Windows service will not start in order for this to be run as a system process.
Has anybody found a resolution for this? I have tested on Windows 2019 and Windows 10 - exactly the same error. I have also tested versions 7.9.0 and 7.10.0 - both send logs, but neither can start the service
@mackov83, do you see any information about this in the Event Viewer or in the winlogbeat logs?
Also, the error you get while running the command is due to the -- expression, maybe replace it with -path..
When I try to start the Elastic Winlogbeat 7.x service, event viewer shows:
The Elastic Winlogbeat 7.10.0 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
I assume the Winlogbeat service would first need to start before log files are going to generated??
I took the command that I ran directly from the properties of the 'Elastic Winlogbeat 7.10.0' Windows service. As far as I know this is the command that will be run when the service is started.
With regards to syntax - vs --, it didn't work (as expected). Below is the output from the help related to Winlogbeat.exe - note the syntax for --path.x:
PS C:\Program Files\Elastic\Beats\7.10.0\winlogbeat> .\winlogbeat.exe --help
Usage:
winlogbeat [flags]
winlogbeat [command]
Available Commands:
enroll Enroll in Kibana for Central Management
export Export current config or index template
help Help about any command
keystore Manage secrets keystore
run Run winlogbeat
setup Setup index template, dashboards and ML jobs
test Test config
version Show current version info
Flags:
-E, --E setting=value Configuration overwrite
-N, --N Disable actual publishing for testing
-c, --c string Configuration file, relative to path.config (default "winlogbeat.yml")
--cpuprofile string Write cpu profile to file
-d, --d string Enable certain debug selectors
-e, --e Log to stderr and disable syslog/file output
--environment environmentVar set environment being ran in (default default)
-h, --help help for winlogbeat
--httpprof string Start pprof http server
--memprofile string Write memory profile to this file
--path.config string Configuration path
--path.data string Data path
--path.home string Home path
--path.logs string Logs path
--strict.perms Strict permission checking on config files (default true)
-v, --v Log at INFO level
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.