Winlogbeat service stopped automaticly

collideroff · September 17, 2020, 7:14pm

Good day!
I have installed winlogbeat in WindowsServer 2012R2 on EventCollector.
It's was istalled properly, but service automaticly stopped after several time..abou 12 hours on more.
winlogbeat.event_logs:

name: Application
ignore_older: 5000h
name: System
ignore_older: 5000h
name: Security
ignore_older: 5000h
name: ForwardedEvents
ignore_older: 5000h
name: Windows PowerShell
ignore_older: 5000h
name: Microsoft-Windows-NTLM/Operational
ignore_older: 5000h
name: Microsoft-Windows-PowerShell/Operational
ignore_older: 5000h
name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
ignore_older: 5000h
name: Microsoft-Windows-TaskScheduler/Operational
ignore_older: 5000h
name: Microsoft-Windows-SMBServer/Operational
ignore_older: 5000h
name: Microsoft-Windows-SMBClient/Connectivity
ignore_older: 5000h
name: Microsoft-Windows-SMBServer/Security
ignore_older: 5000h
name: Microsoft-Windows-SMBClient/Connectivity
ignore_older: 5000h
name: Microsoft-Windows-SMBClient/Operational
ignore_older: 5000h
name: Microsoft-Windows-SMBClient/Security
ignore_older: 5000h
name: Microsoft-Windows-Sysmon/Operational
ignore_older: 5000h

tags: ["WindowsServer"]

output.elasticsearch:
hosts: ["elkdomain:8881"]

setup.kibana:
host: "https://elkdomain:443"
protocol: "https"

setup.ilm.overwrite: true
#output.logstash:

hosts: ["elkdomain:5044"]

#setup.template.enabled: false
#setup.ilm.enabled: false
#ilm.enabled: false

logging.level: info
logging.to_files: true
logging.files:
path: C:/Program Files/Winlogbeat/logs
name: winlogbeat
keepfiles: 20

warkolm · September 17, 2020, 10:33pm

Welcome to our community!
Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you.

What do your Winlogbeat logs show?

collideroff · October 4, 2020, 12:08pm

Sorry I dont use this blog before

Config file:

winlogbeat.event_logs:
- name: Application
  ignore_older: 5000h
- name: System
  ignore_older: 5000h
- name: Security
  ignore_older: 5000h
- name: ForwardedEvents
  ignore_older: 5000h
- name: Windows PowerShell
  ignore_older: 5000h
- name: Microsoft-Windows-NTLM/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-PowerShell/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-TaskScheduler/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBServer/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Connectivity
  ignore_older: 5000h
- name: Microsoft-Windows-SMBServer/Security
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Connectivity
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Operational
  ignore_older: 5000h
- name: Microsoft-Windows-SMBClient/Security
  ignore_older: 5000h
- name: Microsoft-Windows-Sysmon/Operational
  ignore_older: 5000h

  
tags: ["WindowsServer"]


output.elasticsearch:
  hosts: ["elk.mydomain.tj:8881"]

setup.kibana:
  host: "https://elk.mydomain.tj:443"
  username: "kibana"
  password: "password"
  protocol: "https"

setup.ilm.overwrite: true
#output.logstash:
#  hosts: ["elk.mydomain.tj:5044"]
#setup.template.enabled: false
#setup.ilm.enabled: false 
#ilm.enabled: false

logging.level: info
logging.to_files: true
logging.files:
  path: C:/Program Files/Winlogbeat/logs
  name: winlogbeat
  keepfiles: 20

Log:

2020-09-18T10:30:34.389+0500	DEBUG	[service]	service/service.go:65	Received svc stop/shutdown request
2020-09-18T10:30:34.390+0500	INFO	beater/winlogbeat.go:161	Stopping Winlogbeat

2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:166	client: done unlink
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:177	client: cancelled 0 events
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:164	client: unlink from queue
2020-09-18T10:30:34.391+0500	DEBUG	[publisher]	pipeline/client.go:166	client: done unlink
2020-09-18T10:30:34.683+0500	INFO	[monitoring]	log/log.go:154	Uptime: 11h33m26.812219s
2020-09-18T10:30:34.683+0500	INFO	[monitoring]	log/log.go:131	Stopping metrics logging.
2020-09-18T10:30:34.688+0500	INFO	instance/beat.go:456	winlogbeat stopped.

After several time I must start service manually

system · November 1, 2020, 2:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat continuously crashes on Windows 2003 server Beats winlogbeat	18	3167	November 4, 2022
Winlogbeat loses some events from Microsoft-IIS-Logging/Logs Beats windows , winlogbeat	2	1937	May 15, 2020
[Help] Help about Winogbeat service failure Beats winlogbeat	1	200	February 29, 2024
Correct way to Start and Stop Winlogbeat with Powershell Beats winlogbeat	6	3707	October 28, 2018
Winlogbeat Service Still Running but Security Log Events No Longer Published After Windows Auto-Archives Event Log- Sometimes Beats winlogbeat	2	252	August 18, 2022

Winlogbeat service stopped automaticly

hosts: ["elkdomain:5044"]

Related Topics