Winlogbeat service can not start

Elastic Stack Beats
1

Hi there, I'm configuring winlogbeat and trying to start it. The first time I installed winlogbeat service, and started it, it worked fine. Well, after several hours, it couldn't start with errors. I uninstalled the service, re-installed the service, still doesn't work. Below is the error message.

PS C:\Program Files\winlogbeat> Start-Service winlogbeat -Verbose
VERBOSE: Performing the operation "Start-Service" on target "winlogbeat (winlogbeat)".
Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service winlogbeat on computer '.'.
At line:1 char:1
+ Start-Service winlogbeat -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Winlogbeat.yml



winlogbeat.event_logs:
- name: Application
  ignore_older: 24h
- name: Security
  ignore_older: 24h
- name: System
  ignore_older: 24h


 output.elasticsearch:
  hosts:
    - localhost:9200

setup.kibana:
  host: "localhost:5601"

logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
logging.level: info

I get the command to start this service, and try to run the command directly, and got the error below:

PS C:\Program Files\winlogbeat> "C:\Program Files\winlogbeat\\winlogbeat.exe" -c "C:\Program Files\winlogbeat\\winlogbeat.yml" -path.home "C:\Program Files\winlogbeat" -path.data "C:\\ProgramData\\winlogbeat" -path.logs "C:\\ProgramData\\winlogbeat\logs"
At line:1 char:47
+ "C:\Program Files\winlogbeat\\winlogbeat.exe" -c "C:\Program Files\wi ...
+                                               ~~
Unexpected token '-c' in expression or statement.
At line:1 char:50
+ ... logbeat.exe" -c "C:\Program Files\winlogbeat\\winlogbeat.yml" -path.h ...
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '"C:\Program Files\winlogbeat\\winlogbeat.yml"' in expression or statement.
At line:1 char:96
+ ... t.exe" -c "C:\Program Files\winlogbeat\\winlogbeat.yml" -path.home "C ...
+                                                             ~~~~~
Unexpected token '-path' in expression or statement.
At line:1 char:101
+ ... " -c "C:\Program Files\winlogbeat\\winlogbeat.yml" -path.home "C:\Pro ...
+                                                             ~~~~~
Unexpected token '.home' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken
`````````````````````````````````````````````

Any idea?
2

Hello @Nickname_Yu

A few questions:

  • What version of winlogbeat do you use?
  • Did you run the uninstaller script?

If I understand correctly, It used to work and start and it stopped working?

3

I'm using the latest version downloaded yesterday, supposed to be 6.2.4.
The problem disappeared this morning. All what I did was shutdown the server yesterday and started it this morning. It's weird.
Any idea what I can do next time the problem occurs?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.