Filebeat syscall/dll_windows.go Error

perryparktung · August 15, 2018, 1:44pm

Hi,

I got following error when booting filebeat as a service in Windows Server 2003. Does anyone know what's going on? It said "recovering", but I still want to know what happened...

2018-08-15T09:19:51.147-0400 ERROR syscall/dll_windows.go:280 An unexpected error occurred while collecting information about the system.. Recovering, but please report this. {"panic": "Failed to find GetTickCount64 procedure in kernel32.dll: The specified procedure could not be found.", "stack": "github.com/elastic/beats/libbeat/logp.Recover\n\t/go/src/github.com/elastic/beats/libbeat/logp/global.go:88\nruntime.call16\n\t/usr/local/go/src/runtime/asm_386.s:559\nruntime.gopanic\n\t/usr/local/go/src/runtime/panic.go:491\nsyscall.(*LazyProc).mustFind\n\t/usr/local/go/src/syscall/dll_windows.go:280\nsyscall.(*LazyProc).Addr\n\t/usr/local/go/src/syscall/dll_windows.go:287\ngithub.com/elastic/beats/vendor/github.com/elastic/go-windows._GetTickCount64\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-windows/zsyscall_windows.go:63\ngithub.com/elastic/beats/vendor/github.com/elastic/go-windows.GetTickCount64\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-windows/kernel32.go:182\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows.BootTime\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows/boottime_windows.go:28\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows.(*reader).bootTime\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows/host_windows.go:127\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows.newHost\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows/host_windows.go:87\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows.windowsSystem.Host\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows/host_windows.go:40\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/providers/windows.(*windowsSystem).Host\n\t<autogenerated>:1\ngithub.com/elastic/beats/vendor/github.com/elastic/go-sysinfo.Host\n\t/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-sysinfo/system.go:50\ngithub.com/elastic/beats/libbeat/cmd/instance.logSystemInfo\n\t/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:731\ngithub.com/elastic/beats/libbeat/cmd/instance.(*Beat).createBeater\n\t/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:224\ngithub.com/elastic/beats/libbeat/cmd/instance.(*Beat).launch\n\t/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:273\ngithub.com/elastic/beats/libbeat/cmd/instance.Run.func1\n\t/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:146\ngithub.com/elastic/beats/libbeat/cmd/instance.Run\n\t/go/src/github.com/elastic/beats/libbeat/cmd/instance/beat.go:147\ngithub.com/elastic/beats/libbeat/cmd.genRunCmd.func1\n\t/go/src/github.com/elastic/beats/libbeat/cmd/run.go:19\ngithub.com/elastic/beats/vendor/github.com/spf13/cobra.(*Command).execute\n\t/go/src/github.com/elastic/beats/vendor/github.com/spf13/cobra/command.go:704\ngithub.com/elastic/beats/vendor/github.com/spf13/cobra.(*Command).ExecuteC\n\t/go/src/github.com/elastic/beats/vendor/github.com/spf13/cobra/command.go:785\ngithub.com/elastic/beats/vendor/github.com/spf13/cobra.(*Command).Execute\n\t/go/src/github.com/elastic/beats/vendor/github.com/spf13/cobra/command.go:738\nmain.main\n\t/go/src/github.com/elastic/beats/filebeat/main.go:18\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:195"}

Thanks.

kvch · August 15, 2018, 3:24pm

Filebeat is not supported on Windows Server 2003. Only Windows servers which are supported is Windows Server 2012/R2 and Windows Server 2016. See the support matrix here: https://www.elastic.co/support/matrix

The panic happened when GetTickCount64 was called which is part of kernel32.dll. But this function requires at least Windows Server 2008, as you can see it under the "Requirements" section on https://msdn.microsoft.com/en-us/library/windows/desktop/ms724411(v=vs.85).aspx.

perryparktung · August 15, 2018, 6:06pm

I can still see logs being poured to Elastic though. What is the potential problems of the exception?

kvch · August 16, 2018, 6:45am

It is used by Winlogbeat to report the uptime of the host. I don't see as a threat to logging. However, there might be other functions which are not available for Windows Server 2003. Those function can still cause problems during the operation of Filebeat. I can't advise you to continue to use Filebeat on an unsupported platform. We cannot guarantee that Filebeat would work as expected.

perryparktung · August 16, 2018, 5:33pm

Thanks!

system · September 13, 2018, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.