The default Winlogbeat path.data is ${path.home}/data, documented here https://www.elastic.co/guide/en/beats/winlogbeat/current/directory-layout.html.
However, the default service installer install-service-winlogbeat.ps1 is programmed to set -path.data to "C:\ProgramData\winlogbeat" instead. Is this intentional, and why?
.\winlogbeat.exe keystore create creates the file ${path.home}/data/winlogbeat.keystore as documented here https://www.elastic.co/guide/en/beats/winlogbeat/current/keystore.html
In winlogbeat.yml i configure cloud.id: "${CLOUD_ID}" and cloud.auth: "${ES_PWD}"
Now when i go Start-Service Winlogbeat, tries to start, sets the path.data to C:\programdata\winlogbeat\ and fails because it isn't seeing my keystore items and provides the error ERROR instance/beat.go:877 Exiting: error initializing publisher: missing required field accessing 'output.elasticsearch.hosts.
If i copy the winlogbeat.keystore to C:\programdata\winlogbeat\winlogbeat.keystore which is where the service has path.data configured, it starts up as expected and the packets flow.
I don't like that i have to change default paths to make things work, however i suspect i am doing something wrong, so please help... Alternatively if this is not expected, ill raise a software bug/issue.