Windows - packetbeat service failed to start

inlikefletch · September 17, 2015, 9:17pm

Hi,
I am having trouble starting the packetbeat service on my application servers and local elk stack. Even if I install on my local elasticsearch server, windows server, keep the default yml file because those configurations are fine, I get the following in the log:

The packetbeat service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

This is on a Windows Server 2012 R2 server. ps1 install works fine. The service is installed and in stopped state. But cannot start. Using packetbeat-1.0.0-beta3-windows binaries.

Thanks,
Jason

tudor · September 18, 2015, 7:34am

Just to confirm, you are starting the service from Powershell like this, right:

Start-Service packetbeat

The log files should be created under C:\ProgramData\packetbeat\Logs. Please have a look if Packetbeat prints any errors there.

inlikefletch · September 18, 2015, 2:53pm

Figured it out Tudor! WinPCap needs to be installed.

Thanks,
Jason

tudor · September 18, 2015, 2:54pm

Oh yeah, it does :-). Glad it's working and thanks for reporting back.

inlikefletch · September 18, 2015, 4:32pm

Hi Tudor,
Working great now, if I specific which device I want it to listen on, 0 or 1. But if I try to set to any, i get the following:
CRIT Initializing sniffer failed: Error creating sniffer: Error opening adapter: The system cannot find the device specified. (20)

Should it be:
device: any
or
device: "any"
or something else in packetbeat.yml

tudor · September 20, 2015, 7:34pm

Device type "any" is unfortunately not supported on Windows.

congpine · December 1, 2015, 3:58pm

Hi
I'm having the similar issue on Packetbeat 1.0.0
I have installed WinPcap and running packetbeat.exe in CMD windows works fine.
I tried to start the service in Service Manager and hit the same error.

I tried to start it with PowerShell (as Administrator) and it gave me the following error ( image attached)

I'm running Windows 8

any ideas?

tudor · December 1, 2015, 9:06pm

Please check the logs under c:\programdata\packetbeat\logs. They might contain useful information for the issue.

congpine · December 1, 2015, 9:48pm

Hi @Tudo
I did check that log, but it doesn't contain any latest info.
The last logs was few days ago- on 26th Nov 2015.

congpine · December 2, 2015, 3:46pm

Hi
I think I have found where the issue is.
I found out about this while working with filebeat.
It's the space in the path.
I have filebeat/packetbeat installed at C:/Program File/beats/
Basically, the windows service is created as:
C:/Program File/beats/filebeat.exe -c C:/Program File/beats/filebeat.yml
and service will fail to launch .
when I added double-quote to the path, the service starts fine.
"C:/Program File/beats/filebeat.exe" -c "C:/Program File/beats/filebeat.yml"
I have modified install-service-filebeat.ps1 as:

-binaryPathName "`"$workdir\\filebeat.exe `" -c `"$workdir\\filebeat.yml `""

I'm going to test this on packetbeat installation.

ruflin · December 2, 2015, 4:04pm

That seems to be the same issue that was fixed here: https://github.com/elastic/beats-packer/pull/32

Amarnath_palavalli · January 14, 2016, 8:40am

I still see the same error even with version packetbeat 1.0.1. I checked the powershell version and all pre-requisites for the commands to deploy and configure beats. Please help.

Start-Service : Service 'packetbeat (packetbeat)' cannot be started due to the following error: Cannot start service
packetbeat on computer '.'.
At line:1 char:1

Start-Service packetbeat

  + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
 ServiceCommandException
  + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

andrewkroh · January 14, 2016, 4:41pm

Hi @Amarnath_palavalli,

Could you run the following PowerShell command on your system that will show us the exact command being executed when the service runs. Paste the output in your response.

PS C:\Users\vagrant> gwmi -Query "select * from win32_service where name like '%beat'" | Format-Table -Property Name, PathName -AutoSize -Wrap

Name       PathName
----       --------
packetbeat "C:\Program Files\Packetbeat\\packetbeat.exe" -c "C:\Program Files\Packetbeat\\packetbeat.yml"

The next step is to try running the listed command on the command line, instead of as a service. In PowerShell, prepend an ampersand (&) to the command and append the options to log debugging messages to the console (-e -v -d "*").

PS C:\Users\vagrant>& "C:\Program Files\Packetbeat\\packetbeat.exe" -c "C:\Program Files\Packetbeat\\packetbeat.yml" -e -v -d "*"

See if Packetbeat starts running or fails to due an error.

Please post your formatted config file too.

Kennedy_Kan1 · April 29, 2016, 4:51am

I am starting packetbeat and topbeat on windows but turn out giving similar results as mentioned above.

When I type Start-Service topbeat or Start-Service packetbeat, it gives me the result:
PS C:\Packetbeat> Start-Service packetbeat
Start-Service : Cannot find any service with service name 'packetbeat'.
At line:1 char:1

Start-Service packetbeat
...

And I could not find the directory "programdata" under C drive

krushnat_khawale · May 2, 2016, 8:12am

Post your configuration @Kennedy_Kan1, it would be useful.