Winlogbeat service stopped automaticly

Elastic Stack Beats
,
1

Good day!
I have installed winlogbeat in WindowsServer 2012R2 on EventCollector.
It's was istalled properly, but service automaticly stopped after several time..abou 12 hours on more.
winlogbeat.event_logs:

  • name: Application
    ignore_older: 5000h
  • name: System
    ignore_older: 5000h
  • name: Security
    ignore_older: 5000h
  • name: ForwardedEvents
    ignore_older: 5000h
  • name: Windows PowerShell
    ignore_older: 5000h
  • name: Microsoft-Windows-NTLM/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-PowerShell/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-TaskScheduler/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBServer/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBClient/Connectivity
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBServer/Security
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBClient/Connectivity
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBClient/Operational
    ignore_older: 5000h
  • name: Microsoft-Windows-SMBClient/Security
    ignore_older: 5000h
  • name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 5000h

tags: ["WindowsServer"]

output.elasticsearch:
hosts: ["elkdomain:8881"]

setup.kibana:
host: "https://elkdomain:443"
protocol: "https"

setup.ilm.overwrite: true
#output.logstash:

hosts: ["elkdomain:5044"]

#setup.template.enabled: false
#setup.ilm.enabled: false
#ilm.enabled: false

logging.level: info
logging.to_files: true
logging.files:
path: C:/Program Files/Winlogbeat/logs
name: winlogbeat
keepfiles: 20

2

Welcome to our community! :smiley:
Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you.

What do your Winlogbeat logs show?

3

Sorry :frowning: I dont use this blog before

Config file:

winlogbeat.event_logs:
- name: Application
  ignore_older: 5000h
- name: System
  ignore_older: 5000h
- name: Security
  ignore_older: 5000h
- name: ForwardedEvents
  ignore_older: 5000h
- name: Windows PowerShell
  ignore_older: 5000h
- name: Microsoft-Windows-NTLM/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-PowerShell/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-TaskScheduler/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBServer/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Connectivity
  ignore_older: 5000h
- name: Microsoft-Windows-SMBServer/Security
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Connectivity
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Security
  ignore_older: 5000h
- name: Microsoft-Windows-Sysmon/Operational
  ignore_older: 5000h

  
tags: ["WindowsServer"]


output.elasticsearch:
  hosts: ["elk.mydomain.tj:8881"]

setup.kibana:
  host: "https://elk.mydomain.tj:443"
  username: "kibana"
  password: "password"
  protocol: "https"

setup.ilm.overwrite: true
#output.logstash:
#  hosts: ["elk.mydomain.tj:5044"]
#setup.template.enabled: false
#setup.ilm.enabled: false 
#ilm.enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: C:/Program Files/Winlogbeat/logs
  name: winlogbeat
  keepfiles: 20

Log:

2020-09-18T10:30:34.389+0500	DEBUG	[service]	service/service.go:65	Received svc stop/shutdown request
2020-09-18T10:30:34.390+0500	INFO	beater/winlogbeat.go:161	Stopping Winlogbeat

2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:166	client: done unlink
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:177	client: cancelled 0 events
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:164	client: unlink from queue
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:166	client: done unlink
2020-09-18T10:30:34.683+0500	INFO	[monitoring]	log/log.go:154	Uptime: 11h33m26.812219s
2020-09-18T10:30:34.683+0500	INFO	[monitoring]	log/log.go:131	Stopping metrics logging.
2020-09-18T10:30:34.688+0500	INFO	instance/beat.go:456	winlogbeat stopped.

After several time I must start service manually :frowning:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.