WinlogBeat stuck @ "Stopping" / Windows-Service

florianmulatz · May 9, 2023, 7:07am

Good Morning guys - please don't blame me if this topic is already covered somewhere - at least I was not able to find it.

I've the problem that my winlogbeat Service (as well as the manually spawned process) never stops if I klick on Stop in Windows-Service-Manager (or press CTRL+C on console).
I don't know what's happening there - and I even don't know where to start since when I look on the console I can see loglines like

{"log.level":"info","@timestamp":"2023-05-09T08:55:56.910+0200","log.logger":"service_windows","log.origin":{"file.name":"service/service_windows.go","file.line":63},"message":"received state change 'svc.Stop' from windows service manager","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:56.911+0200","log.logger":"service_windows","log.origin":{"file.name":"service/service_windows.go","file.line":74},"message":"changed windows service state to svc.StopPending, invoking stopCallback","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:56.915+0200","log.logger":"service","log.origin":{"file.name":"service/service.go","file.line":59},"message":"Received Windows SVC stop/shutdown request","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:56.910+0200","log.logger":"service","log.origin":{"file.name":"service/service.go","file.line":52},"message":"Received signal \"interrupt\", stopping","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:56.916+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/winlogbeat.go","file.line":190},"message":"Stopping Winlogbeat","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:56.928+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-SmbClient/Connectivity","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.009+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Windows PowerShell","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.236+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-PowerShell/Operational","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.318+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Application","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.394+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-SmbClient/Security","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.394+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-SMBClient/Operational","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.394+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-Windows Defender/Operational","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.520+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-NlaSvc/Operational","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T08:55:57.862+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":126},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational","ecs.version":"1.6.0"}

I always have to kill the winlogbeat.exe from task-manager otherwise I can not start the process again (obviously )

Thx for any help guys!

for reference - my winlogbeat.yml (obfuscated)

winlogbeat.event_logs:
    - name: Application
      ignore_older: 72h
    - name: Security
      ignore_older: 72h
    - name: System
      ignore_older: 72h
    - name: Windows PowerShell
      ignore_older: 72h
    - name: Microsoft-Windows-GroupPolicy/Operational
      ignore_older: 72h
    - name: Microsoft-Windows-SmbClient/Connectivity
      ignore_older: 72h
    - name: Microsoft-Windows-SMBClient/Operational
      ignore_older: 72h
    - name: Microsoft-Windows-SmbClient/Security
      ignore_older: 72h
    - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
      ignore_older: 72h
    - name: Microsoft-Windows-NlaSvc/Operational
      ignore_older: 72h
    - name: Microsoft-Windows-TaskScheduler/Operational
      ignore_older: 72h
    - name:  Microsoft-Windows-PowerShell/Operational
      ignore_older: 72h
    - name: Microsoft-Windows-Windows Defender/Operational
      event_id: 1116
      ignore_older: 72h

output.logstash:
    hosts: ["logstash-output-host1","logstash-output-host2"]
    worker: 1
    loadbalance: true
    slow_start: true

winlogbeat.registry_file: C:/ProgramData/winlogbeat/winlogbeat.yml
 
logging.level: info
logging.to_files: true
logging.to_syslog: false
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
  name: mybeat.log
logging.selectors: ["*"]

florianmulatz · May 11, 2023, 6:40am

any ideas?
Thx guys

andrewkroh · May 15, 2023, 11:38pm

It could be this bug.

github.com/elastic/beats

winlogbeat: allow termination while attempting to open channels

elastic:main ← efd6:s3385-winlogbeat

opened 09:28PM - 15 May 23 UTC

efd6

+7 -0

## What does this PR do?  Currently, if winlogbeat is attempting to open a channel that is not available because it is not found or there is a recoverable error, it will loop and retry. Since signals have been sent to notification handlers by this point, cancellation of the loop is not possible without agreement. So add a cancellation select at the head of the retry loop to allow termination. ## Why is it important?  The current behaviour requires heroic user intervention when attempting to bring down a running winlogbeat that has not been able to get its input channels. ## Checklist  - [x] My code follows the style guidelines of this project - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] I have made corresponding change to the default configuration files - [ ] I have added tests that prove my fix is effective or that my feature works - [x] I have added an entry in `CHANGELOG.next.asciidoc` or `CHANGELOG-developer.next.asciidoc`. ## Author's Checklist  - [ ] ## How to test this PR locally  ## Related issues  - ## Use cases  ## Screenshots  ## Logs

system · June 13, 2023, 1:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.