Winlogbeat - Cannot start

NewmazN24 · October 8, 2019, 2:48pm

Hello Folks,

I use SSL/TLS encryption, it works fine. I use keystore to access my password. When I launch winlogbeat from powershell, it fails, see error below.

However, if I make it run manually from PowerShell, I have no errors. I can see my logs on Kibana.
That is how I call my password.

output.elasticsearch:
  protocol: "https"
  username: "elastic"
  password: "${ES_PWD}"

.\winlogbeat.exe test config -c .\winlogbeat.yml -e return Config OK.

Error

Winlogbeat logs

2019-10-08T10:38:27.985-0400 ERROR instance/beat.go:878 Exiting: error initializing publisher: missing field accessing 'output.elasticsearch.password' (source:'C:\Program Files\winlogbeat\winlogbeat.yml')

PowerShell

> start-service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot open winlogbeat
> service on computer '.'.
> At line:1 char:1
> + start-service winlogbeat
> + ~~~~~~~~~~~~~~~~~~~~~~~~
>     + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
>    ServiceCommandException
>     + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I have read from a previous post to copy my keystore where my winlogbeat.yml file is, which I did, but it still fails. Any insight ?

Links

NewmazN24 · October 8, 2019, 3:17pm

If I do edit .yml to have clear password, it works fine. However, that's not what I am looking for.

andrewkroh · October 8, 2019, 3:23pm

The Windows service for running Winlogbeat (or any Beat) is setting the -path.data flag to C:\ProgramData\winlogbeat. And I think this causes Winlogbeat to be looking in that directory for the keystore. Can you try moving your keystore there and starting the service.

There's an bug open but it hasn't been addressed: https://github.com/elastic/beats/issues/12315

NewmazN24 · October 8, 2019, 3:29pm

So I found the answer. It was the most ... easiest thing I haven't tested. I feel quit dumb haha.

Solution
password: "${ES_PWD}" => password: "$ES_PWD"

That was it. Moving keystore where winlogbeat.yml is changes nothing. Tried it. I really laughed at myself on that.

system · November 5, 2019, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.