I have created a keystore for winlogbeats as the administrator and modified winlogbeat.yml
When i try and start the service it fails (running as local system)
if i run winlogbeat manually it starts
I can see the issue, any suggestions how i go about creating a keystore so that local service can access the keystore?
Thanks
Hi @jsoriano
I get the error
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Also another issue would be that i cannot supply the key in the same command as adding. Trying to create an install script that installs the winlogbeat msi, creates and adds a value to the keystore rather than keeping the key in the .yml
Thanks
You may be hitting this issue: [Windows] Beats service fail to start when keystore is used · Issue #12315 · elastic/beats · GitHub
Could you try moving the keystore to the data directory?
thanks that is interesting, i could see a keystore in C:\ProgramData\Elastic\Beats\winlogbeat\data and C:\Program Files\Elastic\Beats\7.12.0\winlogbeat\data both with todays date although program files was a later time
Although despite running
winlogbeat.exe" -c "C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml" keystore create -E keystore.path= C:\ProgramData\Elastic\Beats\winlogbeat\data
it was the program files that ended up updating
As a test i have copied the keystore from program files and copied to programdata and winlogbeat started.
Do you know if it is possible to supply the keystore add with the password as part of the command?
The keystore add subcommand has a --stdin flag to provide a value from the standard input, there is an example in the docs: Secrets keystore for secure settings | Winlogbeat Reference [7.12] | Elastic.
Example is for a unix shell, but something similar should also work with powershell.
Thanks for the help, defined path.data in winlogbeat.yml, it now creates the keystore in the correct place and used the stdin and powershell to add the key and password. Service starting ok.
Thanks
Phil
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.