Winlogbeat run as service issues

Hey there,

I'm facing a challenge while trying to centralize logging for three servers in Elastic Cloud, and I could really use some help from the community.

Here's the issue I'm encountering: When I try to install it as a Windows service using the command ".\install-service-winlogbeat.ps1," it doesn't seem to work. Initially, I thought it might be a keystore problem since authentication fails when running it as a service.

To troubleshoot, I made a modification directly in the winlogbeat.yml file by adding "cloud.auth: USERNAME:KEY" for authentication. This change did authenticate successfully, but unfortunately, no data is being received.

Interestingly, when I run ".\winlogbeat.exe -e -c .\winlogbeat.yml" in an administrative PowerShell, everything seems to work fine. The keystore functions properly, and events are successfully indexed in Elastic Cloud.

I'm reaching out to the community for assistance in understanding where I might be going wrong. Any insights or suggestions would be greatly appreciated. Please let me know if there's any additional information I can provide to help diagnose the issue.

/Martin

Hey @Emorta and welcome to the community!

To clarify, when you install using the ps1 file, does the winlogbeat service get installed properly and you can interact with the service in the services.msc?

if so, what do the winlogbeat logs say when the service is running after the install?

Hello @eMitch
yes to be more clearer in my description the service is installed correctly and works from the mmc as well (start, stop ect)
Log when running in service:

2023-07-11T08:07:14.688+0200	INFO	instance/beat.go:686	Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs] Hostfs Path: [/]
2023-07-11T08:07:14.699+0200	INFO	instance/beat.go:694	Beat ID: b00f7c63-4525-487d-8b71-caf0e161b4b0
2023-07-11T08:07:17.712+0200	WARN	[add_cloud_metadata]	add_cloud_metadata/provider_aws_ec2.go:79	read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2023-07-11T08:07:17.713+0200	INFO	[beat]	instance/beat.go:1040	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "b00f7c63-4525-487d-8b71-caf0e161b4b0"}}}
2023-07-11T08:07:17.713+0200	INFO	[beat]	instance/beat.go:1049	Build info	{"system_info": {"build": {"commit": "7e56c4a053a2fe26c0cac168dd974780428a2aa6", "libbeat": "7.16.1", "time": "2021-12-11T02:10:07.000Z", "version": "7.16.1"}}}
2023-07-11T08:07:17.713+0200	INFO	[beat]	instance/beat.go:1052	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.17.2"}}}
2023-07-11T08:07:17.717+0200	INFO	[beat]	instance/beat.go:1056	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-07-10T13:52:10.52+02:00","name":"HOSTNAME","ip":["XXX.XXX.XXX.XX/24","::1/128","127.0.0.1/8"],"kernel_version":"6.3.9600.21013 (winblue_ltsb_escrow.230512-1823)","mac":["00:50:56:a1:69:89","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.21013"},"timezone":"CEST","timezone_offset_sec":7200,"id":"3ccd2616-1152-40ea-ba29-f09a05b0b236"}}}
2023-07-11T08:07:17.717+0200	INFO	[beat]	instance/beat.go:1085	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 5432, "ppid": 724, "start_time": "2023-07-11T08:07:14.491+0200"}}}
2023-07-11T08:07:17.717+0200	INFO	instance/beat.go:328	Setup Beat: winlogbeat; Version: 7.16.1
2023-07-11T08:07:17.718+0200	INFO	[index-management]	idxmgmt/std.go:184	Set output.elasticsearch.index to 'metricbeat-internal_it-7.16.1' as ILM is enabled.
2023-07-11T08:07:17.718+0200	INFO	[esclientleg]	eslegclient/connection.go:102	elasticsearch url: https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243
2023-07-11T08:07:17.718+0200	INFO	[publisher]	pipeline/module.go:113	Beat name: HOSTNAME
2023-07-11T08:07:17.718+0200	INFO	[winlogbeat]	beater/winlogbeat.go:66	State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2023-07-11T08:07:17.719+0200	INFO	instance/beat.go:492	winlogbeat start running.
2023-07-11T08:07:17.719+0200	INFO	[monitoring]	log/log.go:142	Starting metrics logging every 30s
2023-07-11T08:07:20.719+0200	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:101	add_cloud_metadata: hosting provider type not detected.
2023-07-11T08:07:21.722+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243))
2023-07-11T08:07:21.722+0200	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2023-07-11T08:07:21.722+0200	INFO	[publisher]	pipeline/retry.go:223	  done
2023-07-11T08:07:21.932+0200	INFO	[esclientleg]	eslegclient/connection.go:282	Attempting to connect to Elasticsearch version 8.6.2
2023-07-11T08:07:22.053+0200	INFO	[esclientleg]	eslegclient/connection.go:282	Attempting to connect to Elasticsearch version 8.6.2
2023-07-11T08:07:22.124+0200	INFO	[index-management]	idxmgmt/std.go:261	Auto ILM enable success.
2023-07-11T08:07:22.243+0200	INFO	[index-management.ilm]	ilm/std.go:170	ILM policy metricbeat-hesehus-standard-policy exists already.
2023-07-11T08:07:22.243+0200	INFO	[index-management]	idxmgmt/std.go:397	Set setup.template.name to '{metricbeat-internal_it-7.16.1 {now/d}-000001}' as ILM is enabled.
2023-07-11T08:07:22.243+0200	INFO	[index-management]	idxmgmt/std.go:402	Set setup.template.pattern to 'metricbeat-internal_it-7.16.1-*' as ILM is enabled.
2023-07-11T08:07:22.243+0200	INFO	[index-management]	idxmgmt/std.go:436	Set settings.index.lifecycle.rollover_alias in template to {metricbeat-internal_it-7.16.1 {now/d}-000001} as ILM is enabled.
2023-07-11T08:07:22.243+0200	INFO	[index-management]	idxmgmt/std.go:440	Set settings.index.lifecycle.name in template to {metricbeat-hesehus-standard-policy {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
2023-07-11T08:07:22.287+0200	INFO	template/load.go:111	Template "metricbeat-internal_it-7.16.1" already exists and will not be overwritten.
2023-07-11T08:07:22.287+0200	INFO	[index-management]	idxmgmt/std.go:297	Loaded index template.
2023-07-11T08:07:22.326+0200	INFO	[index-management.ilm]	ilm/std.go:126	Index Alias metricbeat-internal_it-7.16.1 exists already.
2023-07-11T08:07:22.359+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) established
2023-07-11T08:07:47.736+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":421,"time":{"ms":421}},"total":{"ticks":827,"time":{"ms":827},"value":827},"user":{"ticks":406,"time":{"ms":406}}},"handles":{"open":313},"info":{"ephemeral_id":"3e5c0fee-2de7-4e06-95bc-6a1db480fb00","uptime":{"ms":33120},"version":"7.16.1"},"memstats":{"gc_next":10471504,"memory_alloc":5998600,"memory_sys":23362360,"memory_total":21859672,"rss":45518848},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":74,"active":0,"batches":12,"total":74},"read":{"bytes":12962},"type":"elasticsearch","write":{"bytes":221826}},"pipeline":{"clients":1,"events":{"active":5,"published":79,"retry":28,"total":79},"queue":{"acked":74,"max_events":4096}}},"system":{"cpu":{"cores":4}}}}}
2023-07-11T08:08:17.728+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":578,"time":{"ms":157}},"total":{"ticks":1156,"time":{"ms":329},"value":1156},"user":{"ticks":578,"time":{"ms":172}}},"handles":{"open":315},"info":{"ephemeral_id":"3e5c0fee-2de7-4e06-95bc-6a1db480fb00","uptime":{"ms":63121},"version":"7.16.1"},"memstats":{"gc_next":10992416,"memory_alloc":8355824,"memory_total":28097392,"rss":46268416},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":57,"active":0,"batches":14,"total":57},"read":{"bytes":8040},"write":{"bytes":164645}},"pipeline":{"clients":1,"events":{"active":3,"published":55,"total":55},"queue":{"acked":57}}}}}}
2023-07-11T08:08:47.730+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":703,"time":{"ms":125}},"total":{"ticks":1437,"time":{"ms":281},"value":1437},"user":{"ticks":734,"time":{"ms":156}}},"handles":{"open":317},"info":{"ephemeral_id":"3e5c0fee-2de7-4e06-95bc-6a1db480fb00","uptime":{"ms":93113},"version":"7.16.1"},"memstats":{"gc_next":11119872,"memory_alloc":7176984,"memory_total":35504328,"rss":46952448},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":92,"active":0,"batches":12,"total":92},"read":{"bytes":7162},"write":{"bytes":256067}},"pipeline":{"clients":1,"events":{"active":4,"published":93,"total":93},"queue":{"acked":92}}}}}}
2023-07-11T08:09:17.730+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":828,"time":{"ms":125}},"total":{"ticks":1765,"time":{"ms":328},"value":1765},"user":{"ticks":937,"time":{"ms":203}}},"handles":{"open":321},"info":{"ephemeral_id":"3e5c0fee-2de7-4e06-95bc-6a1db480fb00","uptime":{"ms":123117},"version":"7.16.1"},"memstats":{"gc_next":11476272,"memory_alloc":9294344,"memory_total":42387208,"rss":46616576},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":59,"active":0,"batches":16,"total":59},"read":{"bytes":9173},"write":{"bytes":182930}},"pipeline":{"clients":1,"events":{"active":0,"published":55,"total":55},"queue":{"acked":59}}}}}}

And when i use Keystore insted of direcly in yml file the log shows:

2023-07-11T11:26:12.572+0200	INFO	instance/beat.go:686	Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\ProgramData\winlogbeat\logs] Hostfs Path: [/]
2023-07-11T11:26:12.580+0200	INFO	instance/beat.go:694	Beat ID: b00f7c63-4525-487d-8b71-caf0e161b4b0
2023-07-11T11:26:15.595+0200	WARN	[add_cloud_metadata]	add_cloud_metadata/provider_aws_ec2.go:79	read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2023-07-11T11:26:15.596+0200	INFO	[beat]	instance/beat.go:1040	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\ProgramData\\winlogbeat", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\ProgramData\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "b00f7c63-4525-487d-8b71-caf0e161b4b0"}}}
2023-07-11T11:26:15.596+0200	INFO	[beat]	instance/beat.go:1049	Build info	{"system_info": {"build": {"commit": "7e56c4a053a2fe26c0cac168dd974780428a2aa6", "libbeat": "7.16.1", "time": "2021-12-11T02:10:07.000Z", "version": "7.16.1"}}}
2023-07-11T11:26:15.596+0200	INFO	[beat]	instance/beat.go:1052	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.17.2"}}}
2023-07-11T11:26:15.601+0200	INFO	[beat]	instance/beat.go:1056	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-07-10T13:52:10.84+02:00","name":"HOSTNAME","ip":["XXX.XXX.XXX.XXX/24","::1/128","127.0.0.1/8"],"kernel_version":"6.3.9600.21013 (winblue_ltsb_escrow.230512-1823)","mac":["00:50:56:a1:69:89","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.21013"},"timezone":"CEST","timezone_offset_sec":7200,"id":"3ccd2616-1152-40ea-ba29-f09a05b0b236"}}}
2023-07-11T11:26:15.601+0200	INFO	[beat]	instance/beat.go:1085	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 4728, "ppid": 724, "start_time": "2023-07-11T11:26:12.400+0200"}}}
2023-07-11T11:26:15.601+0200	INFO	instance/beat.go:328	Setup Beat: winlogbeat; Version: 7.16.1
2023-07-11T11:26:15.601+0200	INFO	[index-management]	idxmgmt/std.go:184	Set output.elasticsearch.index to 'metricbeat-internal_it-7.16.1' as ILM is enabled.
2023-07-11T11:26:15.601+0200	INFO	[esclientleg]	eslegclient/connection.go:102	elasticsearch url: https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243
2023-07-11T11:26:15.602+0200	INFO	[publisher]	pipeline/module.go:113	Beat name: HOSTNAME
2023-07-11T11:26:15.602+0200	INFO	[winlogbeat]	beater/winlogbeat.go:66	State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2023-07-11T11:26:15.602+0200	INFO	instance/beat.go:492	winlogbeat start running.
2023-07-11T11:26:15.602+0200	INFO	[monitoring]	log/log.go:142	Starting metrics logging every 30s
2023-07-11T11:26:18.596+0200	INFO	[add_cloud_metadata]	add_cloud_metadata/add_cloud_metadata.go:101	add_cloud_metadata: hosting provider type not detected.
2023-07-11T11:26:19.603+0200	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2023-07-11T11:26:19.603+0200	INFO	[publisher]	pipeline/retry.go:223	  done
2023-07-11T11:26:19.603+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243))
2023-07-11T11:26:21.754+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
2023-07-11T11:26:21.754+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) with 1 reconnect attempt(s)
2023-07-11T11:26:21.754+0200	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2023-07-11T11:26:21.754+0200	INFO	[publisher]	pipeline/retry.go:223	  done
2023-07-11T11:26:25.550+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
2023-07-11T11:26:25.550+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) with 2 reconnect attempt(s)
2023-07-11T11:26:25.550+0200	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2023-07-11T11:26:25.550+0200	INFO	[publisher]	pipeline/retry.go:223	  done
2023-07-11T11:26:31.903+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
2023-07-11T11:26:31.903+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) with 3 reconnect attempt(s)
2023-07-11T11:26:31.903+0200	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2023-07-11T11:26:31.903+0200	INFO	[publisher]	pipeline/retry.go:223	  done
2023-07-11T11:26:43.785+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
2023-07-11T11:26:43.785+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) with 4 reconnect attempt(s)
2023-07-11T11:26:43.785+0200	INFO	[publisher]	pipeline/retry.go:213	retryer: send wait signal to consumer
2023-07-11T11:26:43.785+0200	INFO	[publisher]	pipeline/retry.go:217	  done
2023-07-11T11:26:45.613+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":156,"time":{"ms":156}},"total":{"ticks":359,"time":{"ms":359},"value":0},"user":{"ticks":203,"time":{"ms":203}}},"handles":{"open":316},"info":{"ephemeral_id":"c5b6442f-b356-4c18-8b3b-1b3aea0c6f87","uptime":{"ms":33109},"version":"7.16.1"},"memstats":{"gc_next":10394848,"memory_alloc":8855696,"memory_sys":18770536,"memory_total":18705368,"rss":45326336},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"read":{"bytes":3220},"type":"elasticsearch","write":{"bytes":1385}},"pipeline":{"clients":1,"events":{"active":70,"published":70,"retry":42,"total":70},"queue":{"max_events":4096}}},"system":{"cpu":{"cores":4}}}}}
2023-07-11T11:27:15.439+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)): 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}
2023-07-11T11:27:15.439+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:145	Attempting to reconnect to backoff(elasticsearch(https://22293332c133334bd33343fedb17222.northeurope.azure.elastic-cloud.com:9243)) with 5 reconnect attempt(s)
2023-07-11T11:27:15.615+0200	INFO	[monitoring]	log/log.go:184	Non-zero metrics in the last 30s	{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":203,"time":{"ms":47}},"total":{"ticks":453,"time":{"ms":94},"value":453},"user":{"ticks":250,"time":{"ms":47}}},"handles":{"open":316},"info":{"ephemeral_id":"c5b6442f-b356-4c18-8b3b-1b3aea0c6f87","uptime":{"ms":63106},"version":"7.16.1"},"memstats":{"gc_next":12871056,"memory_alloc":6540512,"memory_sys":4329680,"memory_total":19593824,"rss":45805568},"runtime":{"goroutines":25}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"read":{"bytes":644},"write":{"bytes":277}},"pipeline":{"clients":1,"events":{"active":86,"published":16,"total":16}}}}}}

Found the solution
service expected the Keystore to be in

 "`"$workdir\winlogbeat.exe`" --environment=windows_service -c `"$workdir\winlogbeat.yml`" --path.home `"$workdir`" --path.data `"**$env:PROGRAMDATA\winlogbeat**`" --path.logs `**"$env:PROGRAMDATA**\winlogbeat\logs`" -E logging.files.redirect_stderr=true"

changed it to

"`"$workdir\winlogbeat.exe`" --environment=windows_service -c `"$workdir\winlogbeat.yml`" --path.home `"$workdir`" --path.data `"$workdir\data`" --path.logs `"$workdir\logs`" -E logging.files.redirect_stderr=true"

now it works i think i missunderstod the location of the keystore?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.