Winlogbeat service won't start - Server 2016

uklipse · December 10, 2019, 8:47pm

I'm trying to install winlogbeat on a Server 2016 host but the service won't start. I've tested the config file using: winlogbeat.exe test config and it comes back OK. I've tried running it in the foreground using winlogbeat.exe -c winlogbeat.yml -e -v -d "*" and get some results in Kibana. The same install files are used on Win10 machines and they install and services starts correctly. We use an older version of winlogbeat but I've downloaded the newest one (7.5) and get the same result of service not starting.

Anything else I can try or is there something different with Server 2016?

Michal_Pristas · December 11, 2019, 3:05pm

hey @uklipse

can you see some error in the event log?

uklipse · December 11, 2019, 3:52pm

The only error I get is: The winlogbeat service terminated unexpectedly. It has done this 3 time(s).
Not very helpful

Michal_Pristas · December 11, 2019, 3:57pm

and what about winlogbeat logs directory?

I assume you ran .\install-service-winlogbeat.ps1 script
can you also share a path where winlogbeat is located?

uklipse · December 11, 2019, 4:16pm

Yes I extracted the 7.5 download file to the Downloads folder and ran the install-service-winlogbeat.ps1 script. The full path is C:\Users\demoadmin\Downloads\winlogbeat-7.5.0-windows-x86_64\winlogbeat-7.5.0-windows-x86_64

Michal_Pristas · December 11, 2019, 4:18pm

I think windows service tries to locate your service on a path C:\Program Files\Winlogbeat\...

try renaming winlogbeat-7.5.0-windows-x86_64 to Winlogbeat as stated here: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html

uklipse · December 11, 2019, 4:31pm

Tried that but same result of service not starting. Our original installation had this in the C:\Program Files. I was just using the download folder by keeping everything to default settings.

Michal_Pristas · December 12, 2019, 10:22am

for me it seems like windows has some issues finding service as you don't see any winlogbeat logs.
can you run services and find winlogbeat there? if you select properties you will see Path to executable settings. Make sure this path and the path where your installation lives matches.

uklipse · December 12, 2019, 4:42pm

I'm not sure that this is a winlogbeat issue now but a Windows one. I rebooted the computer and the service was running however after a few minutes it stopped and wouldn't restart. During that time I did receive logs from it.

uklipse · January 2, 2020, 8:15pm

I'm still having this issue but wanted to update with what I've found. The winlogbeat service only starts on a reboot and is stable until the service is restarted. After a restart attempt, we get an Error 1067: The process terminated unexpectedly. I thought this might be a Windows issues so I posted this over in the Microsoft forums but they ultimately said to check with the developer.

So I'm not sure why it starts on a reboot but not just a regular restart.

system · February 5, 2020, 3:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.