Error 1053 when starting winlogbeat or auditbeat

Goodmorning, when i try to Start-Service winlogbeat i receive the error 1053m same thing for auditbeat.
for the yml files i followed the getting started guide, so there should not be any error.
i have a keystore and it is in C:/ProgramData/Winlogbeat, as I read on a similar topic.
As i read online I also set the Timeout to 180000 for the service, but that didn't work.

the test config says Config OK, the setup doesn't return any error and if I run
.\winlogbeat.exe -c .\winlogbeat.yml -e -v -d "*"
everything works and I am able to see the logs on kibana.

this is winlogbeat.yml

  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    level: critical, error, warning

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

winlogbeat.registry_file: C:/ProgramData/winlogbeat/winlogbeat.yml

  index.number_of_shards: 1

host: "http://xxxxxxx:5601"
#  # Array of hosts to connect to.
  hosts: ["https://xxxx:9200"]
#  # Protocol - either `http` (default) or `https`.
#  #protocol: "https"
#  # Authentication credentials - either API key or username/password.
#  #api_key: "id:api_key"
  username: "xxxxxx"
  password: "${ES_PWD}"
      - ./xxxxxx.pem
    certificate: "./xxxxx.pem"
    key: "./xxxxx.key"

  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

in the properties of the service I also have this, don't know if that could help

"C:\Program Files\Winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\Winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\Winlogbeat" "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true

I resolved the problem by inserting the absolute paths for the certificates instead of the relative ones.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.