Error: Cannot start service winlogbeat

(paul) #1

Hi I'm trying to install Winlogbeat with little success. I have followed the instructions and have configured the YAML but it refuses to run.

Here's the error:

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service winlogbeat on computer '.'.
At line:1 char:14
+ Start-Service <<<<  winlogbeat
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Any ideas?

(Andrew Kroh) #2

Try starting Winlogbeat in the foreground (not as a service) and see if there are any errors. This is similar to what we recommend in the Getting Started guide to test the configuration prior running it as a service, but this will actually run it with full debug enabled.

PS C:\Program Files\Winlogbeat>.\winlogbeat.exe -c winlogbeat.yml -e -v -d "*"

If that doesn't get you anywhere, then post your configuration here.

Winlogbeat can't start the service (Solved)
(paul) #3

Thanks for your quick reply. I have been working through the Getting Started guide but admittingly, new to this. However ran the command and now have more info:

Exiting: error loading config file: YAML config parsing failed on winlogbeat.yml: yaml: line 138: did not find expected key

I know that YAML hates tabbing so made sure that wasn't there and I am not using TLS yet and have that running in insecure mode.

(Andrew Kroh) #4

Please post your configuration file.

(paul) #5

HI, it's very much the default with Elasticsearch commented out and Logstash configured in with TLS set to insecure since the build is POC . I tried to include the configuration file but it exceeds the character limit hence cut down version below.


  ### Elasticsearch as output
    # Array of hosts to connect to.
    # Scheme and port can be left out and will be set to the default (http and 9200)
    # In case you specify and additional path, the scheme is required: http://localhost:9200/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
    #hosts: [""]

    # Optional protocol and basic auth credentials.
    #protocol: "https"
    #username: "admin"
    #password: "s3cr3t"

    # Dictionary of HTTP parameters to pass within the url with index operations.
      #param1: value1
      #param2: value2

    # Number of workers per Elasticsearch host.
    #worker: 1

    # Optional index name. The default is "winlogbeat" and generates
    # [winlogbeat-]YYYY.MM.DD keys.
    #index: "winlogbeat"

    # A template is used to set the mapping in Elasticsearch
    # By default template loading is enabled and the template is loaded.
    # These settings can be adjusted to load your own template or overwrite existing ones

      # Template name. By default the template name is winlogbeat.
      name: "winlogbeat"

      # Path to template file
      path: "winlogbeat.template.json"

      # Overwrite existing template
      overwrite: false

  ### Logstash as output
    # The Logstash hosts
    hosts: [""]

    # Number of workers per Logstash host.
    #worker: 1

    # Set gzip compression level.
    #compression_level: info

    # Optional load balance the events between the Logstash hosts
    #loadbalance: true

    # Optional index name. The default index name is set to name of the beat
    # in all lowercase.
    #index: winlogbeat

    # SOCKS5 proxy server URL
    #proxy_url: socks5://user:password@socks5-server:2233

    # Resolve names locally when using a proxy server. Defaults to false.
    #proxy_use_local_resolver: false

    # Optional TLS. By default is off.
      # List of root certificates for HTTPS server verifications
      #certificate_authorities: ["/etc/pki/root/ca.pem"]

      # Certificate for TLS client authentication
      #certificate: "/etc/pki/client/cert.pem"

      # Client Certificate Key
      #certificate_key: "/etc/pki/client/cert.key"

      # Controls whether the client verifies server certificates and host name.
      # If insecure is set to true, all server host names and certificates will be
      # accepted. In this mode TLS based connections are susceptible to
      # man-in-the-middle attacks. Use only for testing.
      insecure: true

(Andrew Kroh) #6

It looks like there is a section of the elasticsearch output configuration that you didn't comment out. This will cause problems.

I should have mentioned about using Our config files are too big anymore for the forums.

(paul) #7

Thanks Andrew, I did look at commenting out but wondered how templates would be selected for winlogbeat [wlb] without it, however will try.

(Andrew Kroh) #8

That template configuration controls the automatic installation of the index template for the winlogbeat-* index. Since you are using the Logstash output you will need to install the winlogbeat template yourself. Index template installation is covered in the Getting Started guide.

(paul) #9

Hi Andrew. yes commenting out the template values worked nicely, thank you and I feel I am also there in using ELK to detect [task: Logon OR Logoff] events and present them in a dashboard. With regard to loading the template I did follow the guide but did not understand where these should be manually loaded, client or ELK server? Am I right that I will not be able to visualise the data until I get the correct templates whilst making sure all beat clients are at the same version?

UPDATE: To run the manual install requires PowerShell v4 however I only have v2 so this is a blocker!

(Andrew Kroh) #10

The index template is important because it controls how the data is indexed in Elasticsearch. It must be installed prior to sending any data to Elasticsearch. The index template is configured in your Elasticsearch cluster through a web request.

If you are not using Elasticsearch v5 then you need to get a copy of the index template that came with Winlogbeat 1.X and install that to Elasticsearch.

Do you have any other non-Windows machine that you can use? If so, then it is probably easier to just install the template from another machine using curl.

curl -XPUT http://elasticsearch:9200/_template/winlogbeat -d@/path/to/winlogbeat.template.json

If you had indexed any data prior to the template installation, then you need to delete all that data and reindex it:

  1. curl -XDELETE http://elasticsearch:9200/winlogbeat-*
  2. Stop Winlogbeat.
  3. Delete the .winlogbeat.yml registry file.
  4. Start Winlogbeat

(system) #11

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.