Winlogbeat - Cannot start

Hello Folks,

I use SSL/TLS encryption, it works fine. I use keystore to access my password. When I launch winlogbeat from powershell, it fails, see error below.

However, if I make it run manually from PowerShell, I have no errors. I can see my logs on Kibana.
That is how I call my password.

  protocol: "https"
  username: "elastic"
  password: "${ES_PWD}"

.\winlogbeat.exe test config -c .\winlogbeat.yml -e return Config OK.


Winlogbeat logs

2019-10-08T10:38:27.985-0400 ERROR instance/beat.go:878 Exiting: error initializing publisher: missing field accessing 'output.elasticsearch.password' (source:'C:\Program Files\winlogbeat\winlogbeat.yml')


> start-service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot open winlogbeat
> service on computer '.'.
> At line:1 char:1
> + start-service winlogbeat
> + ~~~~~~~~~~~~~~~~~~~~~~~~
>     + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
>    ServiceCommandException
>     + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I have read from a previous post to copy my keystore where my winlogbeat.yml file is, which I did, but it still fails. Any insight ?


If I do edit .yml to have clear password, it works fine. However, that's not what I am looking for.

The Windows service for running Winlogbeat (or any Beat) is setting the flag to C:\ProgramData\winlogbeat. And I think this causes Winlogbeat to be looking in that directory for the keystore. Can you try moving your keystore there and starting the service.

There's an bug open but it hasn't been addressed:

So I found the answer. It was the most ... easiest thing I haven't tested. I feel quit dumb haha.

password: "${ES_PWD}" => password: "$ES_PWD"

That was it. Moving keystore where winlogbeat.yml is changes nothing. Tried it. I really laughed at myself on that.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.