PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service winlogbeat on computer '.'.
At line:1 char:14
+ Start-Service <<<< winlogbeat
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
Try starting Winlogbeat in the foreground (not as a service) and see if there are any errors. This is similar to what we recommend in the Getting Started guide to test the configuration prior running it as a service, but this will actually run it with full debug enabled.
Thanks for your quick reply. I have been working through the Getting Started guide but admittingly, new to this. However ran the command and now have more info:
Exiting: error loading config file: YAML config parsing failed on winlogbeat.yml: yaml: line 138: did not find expected key
I know that YAML hates tabbing so made sure that wasn't there and I am not using TLS yet and have that running in insecure mode.
HI, it's very much the default with Elasticsearch commented out and Logstash configured in with TLS set to insecure since the build is POC . I tried to include the configuration file but it exceeds the character limit hence cut down version below.
output:
### Elasticsearch as output
##elasticsearch:
# Array of hosts to connect to.
# Scheme and port can be left out and will be set to the default (http and 9200)
# In case you specify and additional path, the scheme is required: http://localhost:9200/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
#hosts: ["xxxx.com:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "admin"
#password: "s3cr3t"
# Dictionary of HTTP parameters to pass within the url with index operations.
#parameters:
#param1: value1
#param2: value2
# Number of workers per Elasticsearch host.
#worker: 1
# Optional index name. The default is "winlogbeat" and generates
# [winlogbeat-]YYYY.MM.DD keys.
#index: "winlogbeat"
# A template is used to set the mapping in Elasticsearch
# By default template loading is enabled and the template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones
template:
# Template name. By default the template name is winlogbeat.
name: "winlogbeat"
# Path to template file
path: "winlogbeat.template.json"
# Overwrite existing template
overwrite: false
### Logstash as output
logstash:
# The Logstash hosts
hosts: ["myELKserver.com:5044"]
# Number of workers per Logstash host.
#worker: 1
# Set gzip compression level.
#compression_level: info
# Optional load balance the events between the Logstash hosts
#loadbalance: true
# Optional index name. The default index name is set to name of the beat
# in all lowercase.
#index: winlogbeat
# SOCKS5 proxy server URL
#proxy_url: socks5://user:password@socks5-server:2233
# Resolve names locally when using a proxy server. Defaults to false.
#proxy_use_local_resolver: false
# Optional TLS. By default is off.
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
#certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#certificate_key: "/etc/pki/client/cert.key"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
insecure: true
That template configuration controls the automatic installation of the index template for the winlogbeat-* index. Since you are using the Logstash output you will need to install the winlogbeat template yourself. Index template installation is covered in the Getting Started guide.
Hi Andrew. yes commenting out the template values worked nicely, thank you and I feel I am also there in using ELK to detect [task: Logon OR Logoff] events and present them in a dashboard. With regard to loading the template I did follow the guide but did not understand where these should be manually loaded, client or ELK server? Am I right that I will not be able to visualise the data until I get the correct templates whilst making sure all beat clients are at the same version?
UPDATE: To run the manual install requires PowerShell v4 however I only have v2 so this is a blocker!
The index template is important because it controls how the data is indexed in Elasticsearch. It must be installed prior to sending any data to Elasticsearch. The index template is configured in your Elasticsearch cluster through a web request.
Do you have any other non-Windows machine that you can use? If so, then it is probably easier to just install the template from another machine using curl.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.