Winlogbeat keystore windows

I have created a keystore for winlogbeats as the administrator and modified winlogbeat.yml

When i try and start the service it fails (running as local system)
if i run winlogbeat manually it starts

I can see the issue, any suggestions how i go about creating a keystore so that local service can access the keystore?

Thanks

Hi @probson,

How does Winlogbeat fails? does it report any error?

Hi @jsoriano

I get the error
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Also another issue would be that i cannot supply the key in the same command as adding. Trying to create an install script that installs the winlogbeat msi, creates and adds a value to the keystore rather than keeping the key in the .yml

Thanks

You may be hitting this issue: [Windows] Beats service fail to start when keystore is used · Issue #12315 · elastic/beats · GitHub

Could you try moving the keystore to the data directory?

thanks that is interesting, i could see a keystore in C:\ProgramData\Elastic\Beats\winlogbeat\data and C:\Program Files\Elastic\Beats\7.12.0\winlogbeat\data both with todays date although program files was a later time

Although despite running

winlogbeat.exe" -c "C:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml" keystore create -E keystore.path= C:\ProgramData\Elastic\Beats\winlogbeat\data

it was the program files that ended up updating

As a test i have copied the keystore from program files and copied to programdata and winlogbeat started.

Do you know if it is possible to supply the keystore add with the password as part of the command?

The keystore add subcommand has a --stdin flag to provide a value from the standard input, there is an example in the docs: Secrets keystore for secure settings | Winlogbeat Reference [7.12] | Elastic.
Example is for a unix shell, but something similar should also work with powershell.

1 Like

@jsoriano

Thanks for the help, defined path.data in winlogbeat.yml, it now creates the keystore in the correct place and used the stdin and powershell to add the key and password. Service starting ok.

Thanks
Phil

1 Like