I'm installing Winlogbeat on a windows server 2016 DC. When I run winlogbeat test config, it gave both error and Config OK. Is it OK or Error then.
winlogbeat.yml file as below

winlogbeat.event_logs:

• name: Application
  ignore_older: 24h
• name: Security
  ignore_older: 24h
• name: System
  ignore_older: 24h

output.elasticsearch:
hosts:
- localhost:9200

setup.kibana:
host: "localhost:5601"

logging.to_files: true
logging.files:
path: C:/ProgramData/winlogbeat/Logs
logging.level: info

Command and output as below:

PS C:\Program Files\winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

.\winlogbeat.exe : 2018-05-07T17:40:40.108Z INFO instance/beat.go:468 Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path:
[C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
At line:1 char:1

• .\winlogbeat.exe test config -c .\winlogbeat.yml -e

•   + CategoryInfo          : NotSpecified: (2018-05-07T17:4...inlogbeat\logs]:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
  
  

2018-05-07T17:40:40.145Z INFO instance/beat.go:475 Beat UUID: 10395ff9-94ac-4391-b0d4-445cfdbaf898
2018-05-07T17:40:40.145Z INFO instance/beat.go:213 Setup Beat: winlogbeat; Version: 6.2.4
2018-05-07T17:40:40.146Z INFO elasticsearch/client.go:145 Elasticsearch url: http://localhost:9200
2018-05-07T17:40:40.146Z INFO pipeline/module.go:76 Beat name: AZCWVTST1514
2018-05-07T17:40:40.146Z INFO beater/winlogbeat.go:56 State will be read from and persisted to C:\Program Files\winlogbeat\data.winlogbeat.yml
Config OK

Can you wrap the config and output with triple backticks like this:

```
output
```

Otherwise it's impossible to understand

Thanks

winlogbeat.yml

winlogbeat.event_logs:
- name: Application
  ignore_older: 24h
- name: Security
  ignore_older: 24h
- name: System
  ignore_older: 24h

output.elasticsearch:
  hosts:
    - localhost:9200

setup.kibana:
  host: "localhost:5601"

logging.to_files: true
logging.files:
 path: C:/ProgramData/winlogbeat/Logs
logging.level: info

test config output

PS C:\Program Files\winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

.\winlogbeat.exe : 2018-05-07T17:40:40.108Z	INFO	instance/beat.go:468	Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: 
[C:\Program Files\winlogbeat\data] Logs path: [C:\Program Files\winlogbeat\logs]
At line:1 char:1
+ .\winlogbeat.exe test config -c .\winlogbeat.yml -e
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (2018-05-07T17:4...inlogbeat\logs]:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
2018-05-07T17:40:40.145Z	INFO	instance/beat.go:475	Beat UUID: 10395ff9-94ac-4391-b0d4-445cfdbaf898
2018-05-07T17:40:40.145Z	INFO	instance/beat.go:213	Setup Beat: winlogbeat; Version: 6.2.4
2018-05-07T17:40:40.146Z	INFO	elasticsearch/client.go:145	Elasticsearch url: http://localhost:9200
2018-05-07T17:40:40.146Z	INFO	pipeline/module.go:76	Beat name: AZCWVTST1514
2018-05-07T17:40:40.146Z	INFO	beater/winlogbeat.go:56	State will be read from and persisted to C:\Program Files\winlogbeat\data\.winlogbeat.yml
Config OK

Hope this gives better format

It seems that the following error:

At line:1 char:1
+ .\winlogbeat.exe test config -c .\winlogbeat.yml -e
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (2018-05-07T17:4...inlogbeat\logs]:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

is just Powershell complaining that winlogbeat is printing messages to standard error output (stderr). This is caused by the -e flag in winlogbeat.

You can run winlogbeat without the -e flag so it prints its log to winlogbeat.log or just ignore this error. It has nothing to do with the configuration.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.