Unable to start Winlogbeat [solved - corrupt exe file]

Hello,

I'm new to the ELK Stack, and I'm traing to make a lab environment to show to my employeer the beneficts of use this technology.

I'm already installed ElasticSearch, Kibana and Logstash in a CentOS 7 Server.

Now I'm trying to configure WinLogbeat on a Windows Server 2012 R2 Server, to ship the logs to Logstash.

I configured the file winlogbeat.yml with this parameters:
winlogbeat:

registry_file: "C:/ProgramData/winlogbeat/.winlogbeat.yml"
event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
output:
logstash:
hosts: ["10.11.3.215:5044"]

I configured a certificate in the Logstash Input, so I copied the certificate to Winlogbeat (I already tried to not use the certificate too)

tls:
certificate_authorities: C:\Program Files\winlogbeat\logstash-forwarder.crt

shipper:
logging:
to_files: true
files:
path: C:\ProgramData\winlogbeat\Logs
rotateeverybytes: 10485760 # = 10MB
level: info

When I try to run the winlogbeat.exe executable as a service, it fails. When I try to run it from command line, I obtain this answer:

C:\Program Files\Winlogbeat>winlogbeat.exe -c winlogbeat.yml
This version of C:\Program Files\Winlogbeat\winlogbeat.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.
C:\Program Files\Winlogbeat>

If I review the Event Viewer of Windows, I see:
Source: Application\Wow64 Emulation Layer
Details: The program or feature "??\C:\Program Files\Winlogbeat\winlogbeat.exe" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

I tried WinLogbeat in another Windows Server, 2008 R2, with the same result that I'm showing in this post.

Can you help me? What I'm doing grong?

Thanks in advance.

Regards,
Alejandro Guida

Please check the integrity of the exe file. Maybe it got corrupted?

PS C:\Users\vagrant\Downloads\winlogbeat-1.1.1-windows> certutil -hashfile .\winlogbeat.exe SHA1
SHA1 hash of file .\winlogbeat.exe:
1c 35 d0 bb 5a 2a cf c4 e1 8d 9b 11 31 0a f3 8e 39 2f 75 b9
CertUtil: -hashfile command completed successfully.

The binary is a 32-bit EXE and should run fine on 64-bit versions of Windows (assuming WOW64 wasn't disabled).

Can you also run this command and report the output:

PS C:\Users\Administrator> dism /online /get-featureinfo /featurename:ServerCore-WOW64

Also, if you put three backticks (`) around your config that would help with formatting. I can't tell if all the spacing is correct without it.

Thanks Andrew! It was the file, it was corrupted. I checked the hash and it not equal to the correct one.

I downloaded the file again and now is working,

Regards,
Alejandro Guida

It still not working,

Now, the ".\winlogbeat.exe -c .\winlogbeat.yml" run ok, but ".\winlogbeat.exe -c .\winlogbeat.yml -configtest -e" give me this error:
2016/02/29 09:10:22.950039 beat.go:80: CRIT Config error: Error validating configuration file. 1 error: At least one event log must be configured as part of event_logs

I alredy have configured the event_logs types in winlogbeat.yml:

event_logs:
  - name: Application
  - name: Security
  - name: System

So I don't know what is this error telling to me.

Can you help me?

Thanks for your time and your pacience.

Regards,
Alejandro Guida

I cannot say what the problem is without seeing your full config. With YAML, usually the problem is indentation. That error is telling you that Winlogbeat did not find your event_logs list so it's probably in the wrong place or the spacing is wrong.

The config file Winlogbeat ships with works, so start with it and then make small incremental changes. Or start from config in the Getting Started guide, it also works.

Thanks Andrew. I did what you suggested, and is working now.

Really excited about move forward with this technology, is really amazing.

Regards,
Alejandro Guida