Revent Windows Service Changes c:\programdata\?

Aaron_C_de_Bruyn · February 16, 2024, 1:11am

I just updated Winlogbeat on a Windows Server from 8.9.2 to 8.12.1 and the winlogbeat service won't start.

I did some quick digging, and the service runs:

"C:\Program Files\Elastic\Beats\8.12.1\winlogbeat\winlogbeat.exe" --path.home "C:\Program Files\Elastic\Beats\8.12.1\winlogbeat" --path.config "C:\Program Files\Elastic\Beats\8.12.1\winlogbeat" --path.data "C:\Program Files\Elastic\Beats\8.12.1\winlogbeat" --path.logs "C:\Program Files\Elastic\Beats\8.12.1\winlogbeat" -E logging.files.redirect_stderr=true

Did something change with paths? It used to load from c:\programdata\elastic\beats\winlogbeat\winlogbeat.yml which is easy to target using automation. Now it looks like I'm going to have to adjust the automation to not just install the latest version, but detect which version is installed, then drop the config file in a location that includes the version number and will cause the next upgrade to not have the proper config file.

I've gotta be missing something...but I didn't see anything in the changelogs about it.

strawgate · February 16, 2024, 4:10am

This is in the changelog but it looks like the formatting got broken along the way: Add MSI installer change to 8.12 release notes. by cmacknz · Pull Request #37915 · elastic/beats · GitHub

I'll see if we can get the changelog fixed.

You can use sc.exe to override the service cmdline to point back to programdata if you need to but the most secure configuration is to load the configuration from program files.

We are exploring ways to customize this using MSI install arguments but we do not have an ETA for that.

Aaron_C_de_Bruyn · February 16, 2024, 2:11pm

Thanks for the pointer @strawgate. I thought I was losing it.

I haven't done much with permissions with c:\programdata, but several tools we use store their data there and aren't accessible via normal user accounts (i.e. only administrators, domain admins, and SYSTEM can access some of the subfolders).

Wherever the config file ultimately lands, I would love to see it be an easily predictable path like it was under earlier versions, not "first figure out which version you have installed, then you can figure out the path".

strawgate · February 16, 2024, 2:20pm

We have recently added support for customizing the installdir property of the MSI Allow overriding INSTALLDIR by amitkanfer · Pull Request #241 · elastic/elastic-stack-installers · GitHub

I'll have to double check what version we expect the installdir support to land in (I think 8.13) but that will allow you to place the installation directory on disk, using an MSI cmdline flag, without the version in the path via something like msiexec /i "<full path to msi file>" \qn INSTALLDIR="C:\Program Files\Elastic\Filebeat" or an mst (MSI transform).

I suspect we'll have more info to share about the programdata change in the near future.

I'm hoping we can also allow customizing the config dir path via an MSI parameter too but no ETA on that yet.

Aaron_C_de_Bruyn · February 16, 2024, 2:33pm

Awesome--that makes fixing my issue pretty easy.

I'll postpone upgrades for a bit until the next release is cut. Thanks @strawgate !

system · March 15, 2024, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.