After upgrading from winlogbeat 6.4 to 7.5, on a Windows 10 1909 system, it appears to start as a service (indicates it is running) but never starts sending logs. I can start wlb from the command line, and it does start logging fine but nothing happens when I start the service.
My winlogbeat.yml looks like this:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: Security
- name: System
- name: "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
- name: "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
#================================ General =====================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: ACCTG
# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["Redacted for privacy"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
#================================ Outputs =====================================
# Configure what output to use when sending the data collected by the beat.
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["[redacted]-elk:5444"]
enabled: true
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: info
logging.to_files: true
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
processors:
- drop_fields:
fields: ["hosts"]
And a sample of the log file when I start from cli looks like this:
2019-12-08T09:13:16.452-0500 INFO instance/beat.go:610 Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
2019-12-08T09:13:16.464-0500 INFO instance/beat.go:618 Beat ID: 13c37a34-5f1d-4992-a6bb-5d2f351ae6eb
2019-12-08T09:13:16.464-0500 INFO [beat] instance/beat.go:941 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\winlogbeat", "data": "C:\Program Files\winlogbeat\data", "home": "C:\Program Files\winlogbeat", "logs": "C:\Program Files\winlogbeat\logs"}, "type": "winlogbeat", "uuid": "13c37a34-5f1d-4992-a6bb-5d2f351ae6eb"}}}
2019-12-08T09:13:16.465-0500 INFO [beat] instance/beat.go:950 Build info {"system_info": {"build": {"commit": "6d0d0ae079e5cb1d4f224801ac6df926dfb1594c", "libbeat": "7.5.0", "time": "2019-11-26T00:15:08.000Z", "version": "7.5.0"}}}
2019-12-08T09:13:16.465-0500 INFO [beat] instance/beat.go:953 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.12.12"}}}
2019-12-08T09:13:16.484-0500 INFO [beat] instance/beat.go:957 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-12-08T08:50:34.35-05:00","name":"FQC-NB7-TMCDONA","ip":["10.50.7.17/24","fe80::ed92:aa35:7861:2f42/64","169.254.47.66/16","fe80::b849:22cc:2e62:b4e1/64","169.254.180.225/16","fe80::4547:921e:7eb1:a648/64","169.254.166.72/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.18362.476 (WinBuild.160101.0800)","mac":["f0:1f:af:67:f5:24","00:ff:a0:88:a2:4d","48:5a:b6:7c:db:9e","28:e3:47:01:1c:04"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"18362.476"},"timezone":"EST","timezone_offset_sec":-18000,"id":"dfb8fe8b-839a-47ff-955f-a735db311bbc"}}}
2019-12-08T09:13:16.488-0500 INFO [beat] instance/beat.go:986 Process info {"system_info": {"process": {"cwd": "C:\Program Files\winlogbeat", "exe": "C:\Program Files\winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 2784, "ppid": 3792, "start_time": "2019-12-08T09:13:16.338-0500"}}}
2019-12-08T09:13:16.488-0500 INFO instance/beat.go:297 Setup Beat: winlogbeat; Version: 7.5.0
2019-12-08T09:13:16.489-0500 INFO [publisher] pipeline/module.go:97 Beat name: ACCTG
2019-12-08T09:13:16.489-0500 INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\winlogbeat\data.winlogbeat.yml
2019-12-08T09:13:16.489-0500 INFO instance/beat.go:429 winlogbeat start running.
2019-12-08T09:13:16.489-0500 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
2019-12-08T09:13:17.561-0500 INFO pipeline/output.go:95 Connecting to backoff(async(tcp://fuqua-elk:5444))
2019-12-08T09:13:17.563-0500 INFO pipeline/output.go:105 Connection to backoff(async(tcp://[redacted]-elk:5444)) established
2019-12-08T09:13:18.119-0500 INFO beater/eventlogger.go:81 EventLog[Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] successfully published 308 events
2019-12-08T09:13:18.120-0500 INFO beater/eventlogger.go:81 EventLog[System] successfully published 1040 events
2019-12-08T09:13:18.120-0500 INFO beater/eventlogger.go:81 EventLog[Security] successfully published 700 events
2019-12-08T09:13:18.904-0500 INFO beater/eventlogger.go:81 EventLog[System] successfully published 1060 events
2019-12-08T09:13:18.904-0500 INFO beater/eventlogger.go:81 EventLog[Security] successfully published 800 events
I've done this same upgrade on multiple other systems ranging from Server 2008R2 to Server 2012 using essentially the same .yml file without any issues. Also, on the failing system the upgrade to filebeat 7.5 went flawlessly.
Everything is talking to a full stack that is current to 7.5.
*** Update - Logs weren't shipping because of a field limit in Logstash on the receiving end. Winlogbeat is running as a service, but is not logging in that configuration, which is a different kind of problem I guess.