Goodmorning, when i try to Start-Service winlogbeat i receive the error 1053m same thing for auditbeat.
for the yml files i followed the getting started guide, so there should not be any error.
i have a keystore and it is in C:/ProgramData/Winlogbeat, as I read on a similar topic.
As i read online I also set the Timeout to 180000 for the service, but that didn't work.
the test config says Config OK, the setup doesn't return any error and if I run
.\winlogbeat.exe -c .\winlogbeat.yml -e -v -d "*"
everything works and I am able to see the logs on kibana.
this is winlogbeat.yml
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
level: critical, error, warning
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
winlogbeat.registry_file: C:/ProgramData/winlogbeat/winlogbeat.yml
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "http://xxxxxxx:5601"
output.elasticsearch:
# # Array of hosts to connect to.
hosts: ["https://xxxx:9200"]
#
# # Protocol - either `http` (default) or `https`.
# #protocol: "https"
#
# # Authentication credentials - either API key or username/password.
# #api_key: "id:api_key"
username: "xxxxxx"
password: "${ES_PWD}"
ssl:
certificate_authorities:
- ./xxxxxx.pem
certificate: "./xxxxx.pem"
key: "./xxxxx.key"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
in the properties of the service I also have this, don't know if that could help
"C:\Program Files\Winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\Winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\Winlogbeat" --path.data "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true