Having Issue Starting Winlogbeat As A Windows Service

Elastic Stack Beats
1

I am having issues getting winlogbeat to start as a Windows service on my Windows 10 (1909) system. As you can see below, I am not getting any obvious errors when trying to install and start the Windows service. Just that the service will not start.

PS C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64> .\install-service-winlogbeat.ps1

Status Name DisplayName
------ ---- -----------
Stopped winlogbeat winlogbeat

PS C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64> Start-Service winlogbeat
PS C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64> Get-Service winlogbeat

Status Name DisplayName
------ ---- -----------
Stopped winlogbeat winlogbeat

I am able to run winlogbeat from command line successfully and can see winlogbeat logs in kibana.

2

So i looked at the winlogbeat log file and am seeing this error:

2021-01-08T12:09:19.639-0800	INFO	[monitoring]	log/log.go:154	Uptime: 232.2918ms
2021-01-08T12:09:19.639-0800	INFO	[monitoring]	log/log.go:131	Stopping metrics logging.
2021-01-08T12:09:19.640-0800	INFO	instance/beat.go:452	winlogbeat stopped.
2021-01-08T12:09:19.643-0800	ERROR	instance/beat.go:956	Exiting: error connecting to Kibana: fail to load the TLS config: 2 errors: open /certs/lab.crt: The system cannot find the path specified. /certs/lab.crt; open /certs/ca.crt: The system cannot find the path specified. reading <nil>

So I changed my yaml to the full path of the certificates:

*# =================================== Kibana ===================================*
*setup.kibana:*
*  host: https://lab:5601*
*  ssl.enabled: true*
*  setup.kibana.ssl.verification_mode: none*
*  ssl.certificate_authorities: "C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64\config\certs\ca.crt"*
*  ssl.certificate: "C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64\config\certs\lab.crt"*
*  ssl.key: "C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64\config\certs\lab.key"*
*# ---------------------------- Elasticsearch Output ----------------------------*
*output.elasticsearch:*
*  hosts: "https://lab:9200"*
*  username: "elastic" *
*  password: "passwordhere"*
*  output.elastic.ssl.certificate_authorities: "C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64\config\certs\ca.crt"*
*  output.elastic.ssl.key: "C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64\config\certs\lab.key"*

But now I am getting the following error:

C:\elk\7.10.1\beats\winlogbeat-7.10.1-windows-x86_64>winlogbeat.exe test config -c .\winlogbeat.yml -e
Exiting: error loading config file: yaml: line 46: found unknown escape character

What path should I be specifying?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.