Hello, Winlogbeat Agent unexpectedly got shut down on one of the servers and now i cannot start it. when i start it in foreground it works normally but once i try to start it normally it does not show any output. If i start it from services.msc it shows the error 1067: The process terminated unexpectedly. Can you help me?
Hello!
If you are not seeing anything when running winlogbeat you can try running it with ./winlogbeat.exe -e -v so it outputs to the console.
On top of that, do you have access to the logs from the failed service start attempts? If you can't locate them, I'd suggest checking the logging options Configure logging | Beats and setting up a location accessible to you. With the logs will be much easier to figure out what could be causing the issues
Hello, thank you for your answer i checked logs and this is last log message i get: "2025-07-04T18:16:50.421+0400 ERROR instance/beat.go:1027 Exiting: yaml: control characters are not allowed" but i think my yaml conifg is correct what could be problem?
do you have the same result from the service start than when running it with ./winlogbeat.exe -e -v ? If so I would ensure my config is correct and utf8 encoded, if you edited it in windows is possible the encoding got changed for example, depending on the software you used.