Winlogbeat - Cannot start

NewmazN24 · October 8, 2019, 2:48pm

Hello Folks,

I use SSL/TLS encryption, it works fine. I use keystore to access my password. When I launch winlogbeat from powershell, it fails, see error below.

However, if I make it run manually from PowerShell, I have no errors. I can see my logs on Kibana.
That is how I call my password.

output.elasticsearch:
  protocol: "https"
  username: "elastic"
  password: "${ES_PWD}"

.\winlogbeat.exe test config -c .\winlogbeat.yml -e return Config OK.

Error

Winlogbeat logs

2019-10-08T10:38:27.985-0400 ERROR instance/beat.go:878 Exiting: error initializing publisher: missing field accessing 'output.elasticsearch.password' (source:'C:\Program Files\winlogbeat\winlogbeat.yml')

PowerShell

> start-service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot open winlogbeat
> service on computer '.'.
> At line:1 char:1
> + start-service winlogbeat
> + ~~~~~~~~~~~~~~~~~~~~~~~~
>     + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
>    ServiceCommandException
>     + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I have read from a previous post to copy my keystore where my winlogbeat.yml file is, which I did, but it still fails. Any insight ?

Links

NewmazN24 · October 8, 2019, 3:17pm

If I do edit .yml to have clear password, it works fine. However, that's not what I am looking for.

andrewkroh · October 8, 2019, 3:23pm

The Windows service for running Winlogbeat (or any Beat) is setting the -path.data flag to C:\ProgramData\winlogbeat. And I think this causes Winlogbeat to be looking in that directory for the keystore. Can you try moving your keystore there and starting the service.

There's an bug open but it hasn't been addressed: https://github.com/elastic/beats/issues/12315

NewmazN24 · October 8, 2019, 3:29pm

So I found the answer. It was the most ... easiest thing I haven't tested. I feel quit dumb haha.

Solution
password: "${ES_PWD}" => password: "$ES_PWD"

That was it. Moving keystore where winlogbeat.yml is changes nothing. Tried it. I really laughed at myself on that.

Topic		Replies	Views
Issue with Keystore on winlogbeat Beats winlogbeat	10	1146	January 27, 2022
Winlogbeat gives unathorized error when using keystore Beats elastic-stack-security , winlogbeat	3	1199	July 28, 2020
Winlogbeat Secrets Key Store Beats winlogbeat	3	406	August 3, 2021
Winlogbeat keystore windows Beats winlogbeat	7	608	April 28, 2021
Settings from keystore doesnot load Beats	5	4172	June 20, 2019

Winlogbeat - Cannot start

Links

Related topics