Problems With Winlogbeat

Hello, I am trying to setup Winlogbeat and I am running into some issues. I was able to get it configured correctly and when I run it in debug mode it seems to run fine.

.\winlogbeat.exe -c winlogbeat.yml -e -v -d "*"

When I try to start it normally using this command

Start-Service winlogbeat

It doesn't start correctly. It gives me this error

Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service
winlogbeat on computer '.'.
At line:1 char:1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I am running this virtual machine from a proxmox server.

I have also tried Googling around quite a bit and I can't seem to get any leads. The error is really unhelpful and doesn't seem to give me any leads

Are you saving passwords to a keystore file? Look at the paths that the winlogbeat service is trying to use. If you use the .msi install for Winlogbeat, you need to create a C:\Program Files\Elastic\Beats<version number>\winlogbeat\data directory and copy the winlogbeat.keystore file that is in C:\ProgramData\Elastic\Beats\Winlogbeat\data directory to it. If you did a .zip install you need to do something similar but you paths will be different. Hope this fixes your problem.

Yes, I am using a keystore file. I downloaded it using a .zip install. Winlogbeat is currently in
C:/Program Files/Winlogbeat/winlogbeat.exe

The keystore is currently in
C:/Program Files/Winlogbeat/data/winlogbeat.keystore

What do you mean when you say "Look at the paths that the winlogbeat service is trying to use" how would I check this?

I tried just adding the keystore file to the top-level directory where winlogbeat is located and didn't get me anywhere. I tried putting it in
C:/Program Files/Winlogbeat/winlogbeat.keystore

This does narrow down my issue quite a bit though because the other setups that I had working didn't use a keystore.

Open Control Panel -> Administrative Tools -> Services and navigate Elastics Winlogbeat . Right click and select properties. You will get a screen that looks like the following.

In the 'Path to executable' section, you will see all the paths that are defined for winlogbeat.exe to use. In particular, you will see that it is using C:\ProgramData\Elastic\Beats\Winlogbeat\data as the data directory. A copy of your winlogbeat.keystore file needs to be in that location or else the service will not start.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.