Installed Filebeat 7.3.0 on my windows machine to ship logs to ELK. After running "Start-Service filebeat" for the first time everything worked as expected. I can see all the events in kibana. However, after I made some changes on filebeat.yml and then tried to restart the service, all of a sudden, I got this error:
Start-Service : Service 'filebeat (filebeat)' cannot be started due to the following error: Cannot open filebeat
service on computer '.'.
At line:1 char:1
Start-Service filebeat
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand
If I try the "filebeat.exe -e" command to run the filebeat in foreground, it works again. After some research on google, I am still confused why I am having this error. Then I had this feeling that maybe it has something to do with my folder permissions. I changed the properties of my Filebeat folder (and its subfolders) to make sure the admin has rights to write to it, and then the Start-Service command works again. But this time, filebeat didn't write anything to Filebeat/logs. However, it does harvest data from target files and send them to ELK.
So I restarted filebeat again, still the same, except a new issue happened. I noticed that it resent old events which had already been sent. Even weirder, looks like it didn't resend the whole target file, only part of it.
So assume there is a target file with one line: "A". I start filebeat, ok, it will send A to ELK. Then I add line "B" to the target file, ok, filebeat will send B to ElK, too. Now if I restart filebeat, it will resend B, only B to ELK again. Since I don't have any logs to check with, I am totally confused here. What's more, in the registry folder, there are three files, data.json, meta.json and data.json.old. What is data.json.old? I didn't find anything on google about this file. Maybe it's the potential reason?
Below is my filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\Users\njuho\Downloads\Filebeats_test_logs\*
fields:
application: "yihao_test_app"
fields_under_root: true
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
setup.kibana:
host: "my kibana server ip"
output.elasticsearch:
hosts: ["my elk server ip"]
username: "elastic"
password: "mypassword"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~