I have packetbeat 6.1.2 installed as a service, running fine, but when I turn my laptop in standby (closing it) and I wake it up, packetbeat would not start.
I can start it manually.
And all 3 other beats that I installed the same way (audit, metric and winlog) are starting fine...
Thanks in advance for your help!
How can you tell packetbeat does not startup anymore?
Which operating system are you using?
I wonder if packetbeat actually starts, but can not sniff from device anymore. Might be a kernel issue... which device and sniffer type are you using?
Hi Steffen,
I'm running Windows 10 Pro (Version 10.0.16299 number 16299)
I know it doesn't run because when I check my services, it's "stopped". And I can start it again.
After running a few tests, it appears there is an error in windows events saying that the packetbeat service has stopped unexpectedly every time I close my laptop (goes in stand by mode).
Note that my packetbeat is configured to send data to a cluster I have on Elastic Cloud.
Have you checked packetbeat logs for errors? Please run packetbeat in debug mode. Debug selector 'service' should enough.
Can you run packetbeat on foreground, in terminal. In case packetbeat crashes/breaks after a sleep this info will be lost when being run as a service. For testing please run packetbeat in terminal with packetbeat.exe -e -v -d '*' -c <path/to/config/file>, but you machine to sleep and wake up after a while.
Here you go (i replaced my cloud id with xxx) :
C:\Users\Vincent\Documents\tech\Beats\packetbeat-6.1.2-windows-x86_64>packetbeat.exe -e -v -d '*'
packetbeat2018/02/09 16:13:18.850794 cloudid.go:42: INFO Setting Elasticsearch and Kibana URLs based on the cloud id: output.elasticsearch.hosts=https://xxx.europe-west1.gcp.cloud.es.io:443 and setup.kibana.host=https://xxx.europe-west1.gcp.cloud.es.io:443
2018/02/09 16:13:18.851764 beat.go:436: INFO Home path: [C:\Users\Vincent\Documents\tech\Beats\packetbeat-6.1.2-windows-x86_64] Config path: [C:\Users\Vincent\Documents\tech\Beats\packetbeat-6.1.2-windows-x86_64] Data path: [C:\Users\Vincent\Documents\tech\Beats\packetbeat-6.1.2-windows-x86_64\data] Logs path: [C:\Users\Vincent\Documents\tech\Beats\packetbeat-6.1.2-windows-x86_64\logs]
2018/02/09 16:13:18.851764 metrics.go:23: INFO Metrics logging every 30s
2018/02/09 16:13:18.851764 beat.go:443: INFO Beat UUID: cf165164-009a-4ca6-87a7-884c342289c3
2018/02/09 16:13:18.851764 beat.go:203: INFO Setup Beat: packetbeat; Version: 6.1.2
2018/02/09 16:13:18.851764 client.go:123: INFO Elasticsearch url: https://xxx.europe-west1.gcp.cloud.es.io:443
2018/02/09 16:13:18.852799 module.go:76: INFO Beat name: VINCENT-ELASTIC
2018/02/09 16:13:18.853769 procs.go:78: INFO Process matching disabled
2018/02/09 16:13:18.923953 device.go:75: INFO Resolved device index 0 to device: \Device\NPF_{A3F4F9AE-D5C1-4F4A-91EC-9D32DB0ACC19}
2018/02/09 16:13:18.923953 beat.go:276: INFO packetbeat start running.
2018/02/09 16:13:21.116784 client.go:651: INFO Connected to Elasticsearch version 6.1.3
2018/02/09 16:13:21.130820 load.go:73: INFO Template already exists and will not be overwritten.
2018/02/09 16:13:48.852770 metrics.go:39: INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30030 beat.memstats.gc_next=35889440 beat.memstats.memory_alloc=21780456 beat.memstats.memory_total=25667944 dns.unmatched_responses=1 libbeat.config.module.running=0 libbeat.output.read.bytes=4134 libbeat.output.type=elasticsearch libbeat.output.write.bytes=71062 libbeat.pipeline.clients=14 libbeat.pipeline.events.active=0 libbeat.pipeline.events.published=92 libbeat.pipeline.events.retry=2 libbeat.pipeline.events.total=92 libbeat.pipeline.queue.acked=92
2018/02/09 16:14:05.246181 util.go:47: INFO flows worker loop stopped
2018/02/09 16:14:05.246181 metrics.go:51: INFO Total non-zero values: beat.info.uptime.ms=46423 beat.memstats.gc_next=35889440 beat.memstats.memory_alloc=26041440 beat.memstats.memory_total=29928928 dns.unmatched_responses=2 libbeat.config.module.running=0 libbeat.output.read.bytes=8971 libbeat.output.type=elasticsearch libbeat.output.write.bytes=180466 libbeat.pipeline.clients=14 libbeat.pipeline.events.active=156 libbeat.pipeline.events.published=411 libbeat.pipeline.events.retry=2 libbeat.pipeline.events.total=411 libbeat.pipeline.queue.acked=255
2018/02/09 16:14:14.880555 metrics.go:52: INFO Uptime: 56.0578707s
2018/02/09 16:14:14.882560 beat.go:284: INFO packetbeat stopped.
2018/02/09 16:14:14.883567 beat.go:635: CRIT Exiting: Sniffer main loop failed: Sniffing error: Read Error
Exiting: Sniffer main loop failed: Sniffing error: Read Error
Please format logs, configs and terminal input/output using the </>-Button or markdown code fences. This forum uses Markdown to format posts. Without proper formatting, it can be very hard to read your posts.
The last message indicates why packetbeat stops:
2018/02/09 16:14:14.883567 beat.go:635: CRIT Exiting: Sniffer main loop failed: Sniffing error: Read Error
It gets an Read Error from WinPCAP (just assuming you use WinPCAP) and there shuts down. I guess the network adapter is not yet ready, while packetbeat is trying to continue sniffing.
Sorry Steffens for the poor formatting
I solved my issue! indeed it was coming from winpcap
winpcap doesn't work on Windows 10
I used the win10pcap (see http://www.win10pcap.org/ ) which is working fine!
Thanks for your support 
2 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.