Winlogbeat service unable to start - error 1053 - "service did not responded to start"


I cant start winlogbeat - getting error 1053 - "service did not responded to start"

When testing config and connection all is OK.
I did set up the option to do not verify tls.

No other errors found. I would appreciate any idea or hint.

PS C:\Program Files\winlogbeat> Start-Service winlogbeat
Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service winlogbeat on computer '.'.
At line:1 char:1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I have installed and tested winlogbeat - all was OK.

PS C:\Program Files\winlogbeat> .\winlogbeat.exe test config
Config OK
PS C:\Program Files\winlogbeat> .\winlogbeat.exe test output
  parse url... OK
    parse host... OK
    dns lookup... OK
    dial up... OK
    security... WARN server's certificate chain verification is disabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.6.2
PS C:\Program Files\winlogbeat>

My full winlogbeat config in winlogbeat.yml is:

  - name: Application
    ignore_older: 240h
  - name: System
  - name: Security
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
  - name: Microsoft-Windows-Sysmon/Operational
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
setup.dashboards.enabled: true
  host: ""
  protocol: "https"
  username: "beatuser"  
  password: "${ES_PWD}"

  ssl.verification_mode: none
  ssl.supported_protocols: [TLSv1.2, TLSv1.3]

#-------------------------- Elasticsearch output ------------------------------
  hosts: [""]
  protocol: "https"
  username: "beatuser"
  password: "${ES_PWD}"
  ssl.verification_mode: none
  ssl.supported_protocols: [TLSv1.2, TLSv1.3]
setup.ilm.enabled: true
  index.number_of_shards: 1
setup.template.enabled: true "winlogbeat-%{[agent.version]}"
setup.template.pattern: "winlogbeat-%{[agent.version]}-*"
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
1 Like

Will it run from the CLI as an Administrator? You might want to try grabbing the exact command that service runs and execute that. The command will be in the properties for the service.

Are you running with a keystore? Where is the keystore? The service will load it from the directory which is C:\ProgramData\winlogbeat.

1 Like


The keystore is in: C:\Program Files\winlogbeat\data

The command which service start at is:
"C:\Program Files\winlogbeat\winlogbeat.exe" -c "C:\Program Files\winlogbeat\winlogbeat.yml" -path.home "C:\Program Files\winlogbeat" "C:\ProgramData\winlogbeat" -path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true

The error I am getting is has a clue about parameter "-c":

At line:1 char:46
+ "C:\Program Files\winlogbeat\winlogbeat.exe" -c "C:\Program Files\winlogbeat\win ...
+                                              ~~
Unexpected token '-c' in expression or statement.
At line:1 char:49
+ "C:\Program Files\winlogbeat\winlogbeat.exe" -c "C:\Program Files\winlogbeat\win ...
+                                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unexpected token '"C:\Program Files\winlogbeat\winlogbeat.yml"' in expression or statement.
At line:1 char:94
+ ... inlogbeat.yml" -path.home "C:\Program Files\winlogbeat" "C:\ProgramDa ...
+                    ~~~~~
Unexpected token '-path' in expression or statement.
At line:1 char:99
+ ... beat.yml" -path.home "C:\Program Files\winlogbeat" "C:\ProgramData\wi ...
+                    ~~~~~
Unexpected token '.home' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

Move it to C:\ProgramData\winlogbeat and try the service again.

1 Like

I did move it and I have tried to start it from command prompt and using services app - the seame error.

PS C:\Program Files\winlogbeat> dir
    Directory: C:\Program Files\winlogbeat
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          5/7/2020  10:09 PM            data
d----          5/6/2020   1:44 PM            kibana
d----          5/7/2020  10:55 PM            logs
d----          5/6/2020   1:44 PM            module
-a---          5/6/2020   1:42 PM         41 .build_hash.txt
-a---          5/6/2020   1:42 PM     163122 fields.yml
-a---          5/6/2020   1:42 PM        864 install-service-winlogbeat.ps1
-a---          5/6/2020   1:42 PM      13675 LICENSE.txt
-a---          5/7/2020  10:08 PM         48 meta.json
-a---          5/6/2020   1:42 PM     328580 NOTICE.txt
-a---          5/6/2020   1:42 PM        825
-a---          5/6/2020   1:42 PM        254 uninstall-service-winlogbeat.ps1
-a---          5/6/2020   1:42 PM       6856 winlogbeat-old.yml
-a---          5/6/2020   1:42 PM   47818752 winlogbeat.exe
-a---          5/7/2020  10:09 PM        206 winlogbeat.keystore
-a---          5/7/2020  10:09 PM        130 winlogbeat.keystore.old
-a---          5/6/2020   1:42 PM      47900 winlogbeat.reference.yml
-a---          5/7/2020  10:53 PM       1290 winlogbeat.yml

Did you try


rather than

C:\Program Files\winlogbeat ?

1 Like

Ups sorry - it is working now with ProgramData - my mistake.
So basically keystore has to be in ProgramData - I may be wrong but I have missed that in docs.
Thank you.

I think there's an open issue to improve the docs around this case. Additionally there's a new MSI installer that should help this by creating a wrapper script so that the keystore is created in the proper directory.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.