Winlogbeat - unable to start service on windows

Elastic Stack Beats
,
1

I'm using the ELK stack as a syslog server on an debian server in order to gather logs from Cisco devices and Windows server.

Everything was doing fine until I wanted to use HTTPS instead of HTTP, now kibana and Elasticsearch are only available on https.

So I changed my winlogbeat config on my Windows server as below :

setup.kibana:
  hosts: ["https://<server_ip>:5601"]
  protocol: "https"
  ssl.certificate_authorities: ["certs/ca.crt"]
  ssl.enabled: true
  username: "elastic"
  password: "<my_password>"

output.elasticsearch:
  hosts: ["https://<server_IP>:9200"]
  username: "elastic"
  password: "<my_password>"
  ssl.certificate_authorities: ["certs/ca.crt"]
  ssl.enabled: true
  pipeline: "winlogbeat-%{[agent.version]}-routing"

these lines are the only ones I changed when I went from HTTP to HTTPS, and when using the winlogbeat tool, I get this :

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config
Config OK
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test output
elasticsearch: https://<server_IP>:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: <server_IP>
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.11.3

Everything looks fine without any issue. But when I try starting the service :

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Le service «winlogbeat (winlogbeat)» ne peut pas démarrer en raison de l'erreur suivante: Impossible
de démarrer le service winlogbeat sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

and same with services.msc.

Even more surprising, when I use the .exe (as below) file to run it, it works !

.\winlogbeat.exe -c .\winlogbeat.yml run -e -d "*"

And with this command, I get the logs in the ELK. For me it's nonsense, but I may have forgotten something

I tried to figure out what was wrong (some rights in the folder, files missing, wrong arguments), but I found nothing.
I tried uninstalling and reinstalling the service, but didn't worked either.

And when I go back to an HTTP config, everything works fine, but I just followed the documentation here

here's my config in the ELK server :

elasticsearch.yml :

node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: "server_ip"
http.port: 9200
xpack.security.enabled: true

xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: certs/LRFSYSLOG01S.key
  certificate: certs/LRFSYSLOG01S.crt
  certificate_authorities: certs/ca.crt

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  key: certs/LRFSYSLOG01S.key
  certificate: certs/LRFSYSLOG01S.crt
  certificate_authorities: certs/ca.crt
  verification_mode: certificate

kibana.yml:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/LRFSYSLOG01S.crt
server.ssl.key: /etc/kibana/certs/LRFSYSLOG01S.key
elasticsearch.hosts: ["https://<server_ip>:9200"]

elasticsearch.username: "kibana"
elasticsearch.password: "<password>"

elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/ca.crt" ]

filebeat.yml:

setup.kibana:
  host: "https://<server_ip>:5601"
  ssl.certificate_authorities: ["certs/ca.crt"]
  username: "elastic"
  password: "<password>"


output.elasticsearch:
  hosts: ["https://<server_ip>:9200"]

  username: "elastic"
  password: "<password>"
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]

I don't think the issue come from my server config, but from my Windows server. I hope someone have an explanation to this issue

2

I also tried to modify the time windows allow for a service to start (with help of this website : How to extend the timeout for services if they fail to start or stop (codetwo.com))

but after a reboot of the server, still the same :
image
it's in French, but it says, error 1053: the service did not respond quickly enough to the control launch request

and still the same with starting it with PowerShell :

PS C:\Windows\system32> Start-Service winlogbeat
Start-Service : The "winlogbeat (winlogbeat)" service cannot be started due to the following error: Impossible
to start winlogbeat service on computer '.'.
At character Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
 ServiceCommandException
 + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

but as before, launching wingbeat in console mode (with the .exe file) is working perfectly fine :

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\Config_test.yml run -e -d "*"

and I do recieve the logs in my ELK server :

image
image1878×520 91.7 KB

I also looked at the issues talking about the windows service that doesn't want to start in the forum, but none of them got a solution.

3

I found a temporary solution :

  • Creating a .bat file to execute the cmd command I used above
  • Creating a scheduled task that launches this script in a cmd instance as an admin
  • trying it and seeing those logs in the ELK.

This is working for now, but it's not the best solution.

4

I forgot to give the version of each element :

  • filebeat v 8.11.3
  • debian 12
  • kibana v 8.11.3
  • winlogbeat v 8.11.4
  • elasticsearch v 8.11.3
5

Hi @fracorbas could you see if your issue might be similar to this one from 8.13? Winlogbeat 8.13.0 dont start service - #6 by tapiojaa

If its the same problem as that topic, 8.13 has trailing / on some of the service paths if it was installed via the MSI. The linked comment has a suggestion on how to fix it, or it should be fixed in the next release.

6

Hi @NickFritts,

thanks for the answer. I did not install winlogbeat with the msi installer, but directly using the .zip file and installing the service with the powershell script.

I tried doing what was in the topic you mentionned, but I just got an error, because I guess, I don't have the same installation, and so I can't use the sc command on winlogbeat.

It does not seem to be the same issue, because I can start winlogbeat in an administrator shell, but not as a service (with PowerShell or services.msc).

It seems like my problem is because of HTTPS, but I found no topic about this, did I forget something ?

7

@fracorbas Since you're using powershell, I think you would have to run sc.exe instead of sc

Could you try that? And if it does work can you show what the output of sc.exe qc winlogbeat (but change winlogbeat to the name of your service if it is different.

8

Hi @NickFritts, I didn't think about using PowerShell, but it works, here's the result :

PS C:\Windows\system32> .\sc.exe qc winlogbeat
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: winlogbeat
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\Winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\Winlogbeat" --path.data "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : winlogbeat
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\Windows\system32>

So I tried using the command from the topic :

PS C:\Windows\system32> .\sc.exe config winlogbeat binPath="\"C:\Program Files\Winlogbeat\winlogbeat.exe" --path.home \"C:\Program Files\Winlogbeat\" --path.config \"C:\Program Files\Winlogbeat\" --path.data \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true"
DESCRIPTION:
        Modifie l'entrée d'un service dans le Registre et la base de données des services.
UTILISATION:
        sc <serveur> config [nom service] <option1> <option2>...

OPTIONS:
REMARQUE: le nom d'option contient le signe égal.
           Un espace est nécessaire entre le signe égal et la valeur.
      Pour supprimer la dépendance, utilisez un seul / comme valeur de dépendance.
 type= <own|share|interact|kernel|filesys|rec|adapt|userown|usershare>
 start= <boot|system|auto|demand|disabled|delayed-auto>
 error= <normal|severe|critical|ignore>
 binPath= <NomCheminAccèsBinaire au fichier .exe>
 group= <LoadOrderGroup>
 tag= <yes|no>
 depend= <Dépendances (séparées par / (barre oblique))>
 obj= <NomCompte|NomObjet>
 DisplayName= <nom complet>
 password= <mot de passe>

and I got an error that I don't understand. It tells me to put a space between the "=" and the value.
When I do so, it tells me the same.

9

because I'm kinda dumb and don't understand how this command works, I just used the brute way :
going to regedit (here's tht PATH : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlogbeat), look for the specific key and modify it :
image

the value before was exactly the one displayed by the sc command

and now I have :

PS C:\Windows\system32> .\sc.exe qc winlogbeat
[SC] QueryServiceConfig réussite(s)

SERVICE_NAME: winlogbeat
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" --environment=windows_service -c \"C:\Program Files\Winlogbeat\winlogbeat.yml\" --path.home \"C:\Program Files\Winlogbeat\" --path.config \"C:\Program Files\Winlogbeat\" --path.data \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : winlogbeat
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

so the modifications have been taken, but :

PS C:\Windows\system32> Start-Service winlogbeat
Start-Service : Le service « winlogbeat (winlogbeat) » ne peut pas démarrer en raison de l'erreur suivante : Impossible de démarrer le service winlogbeat sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I still got the same error.

Are the changes I've made the ones expected by the sc command ?

10

I think both binpaths should have worked.

If you use the binpath you currently have or the one from before and just attempt to run it from the command line do either of them work?

If they don't, can you try removing one extra option at a time until they do and let me know which one makes it start working?

11

from a command line, it's working (with the latest binPath) :

image
image1910×351 275 KB

but the service is not :

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Le service « winlogbeat (winlogbeat) » ne peut pas démarrer en raison de l'erreur suivante : Impossible de démarrer le service winlogbeat sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" -c \"C:\Program Files\Winlogbeat\winlogbeat.yml\" --path.home \"C:\Program Files\Winlogbeat\" --path.config \"C:\Program Files\Winlogbeat\" --path.data \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true" as a binPath, I get :

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Le service « winlogbeat (winlogbeat) » ne peut pas démarrer en raison de l'erreur suivante : Impossible de démarrer le service winlogbeat sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\Config_test.yml run -e -d "*"
{"log.level":"info","@timestamp":"2024-04-30T12:23:24.265+0200","log.origin":{"file.name":"instance/beat.go","file.line":806},"message":"Home path: [C:\\Program Files\\Winlogbeat] Config path: [C:\\Program Files\\Winlogbeat] Data path: [C:\\Program Files\\Winlogbeat\\data] Logs path: [C:\\Program Files\\Winlogbeat\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:23:24.364+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":897},"message":"Beat metadata path: C:\\Program Files\\Winlogbeat\\data\\meta.json","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-30T12:23:24.369+0200","log.origin":{"file.name":"instance/beat.go","file.line":814},"message":"Beat ID: 8dbbbb47-2410-4c0c-b688-6c72cb8b6d2a","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:23:24.414+0200","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:23:24.414+0200","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition !contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:23:24.418+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":130},"message":"add_cloud_metadata: starting to fetch metadata, timeout=3s","service.name":"winlogbeat","ecs.version":"1.6.0"}

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" --path.home \"C:\Program Files\Winlogbeat\" --path.config \"C:\Program Files\Winlogbeat\" --path.data \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true", I get :

PS C:\Program Files\Winlogbeat> Start-Service winlogbeat
Start-Service : Le service « winlogbeat (winlogbeat) » ne peut pas démarrer en raison de l'erreur suivante : Impossible de démarrer le service winlogbeat sur l'ordinateur '.'.
Au caractère Ligne:1 : 1
+ Start-Service winlogbeat
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" --path.home \"C:\Program Files\Winlogbeat\" --path.data \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true" I have the same

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" --path.home \"C:\Program Files\Winlogbeat\" --path.logs \"C:\Program Files\Winlogbeat\" -E logging.files.redirect_stderr=true" same

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\" -E logging.files.redirect_stderr=true" same

with "\"C:\Program Files\Winlogbeat\winlogbeat.exe\"" same

but with every dataPath, running the winlogbeat with the .exe works :

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\Config_test.yml run -e -d "*"
{"log.level":"info","@timestamp":"2024-04-30T12:29:26.328+0200","log.origin":{"file.name":"instance/beat.go","file.line":806},"message":"Home path: [C:\\Program Files\\Winlogbeat] Config path: [C:\\Program Files\\Winlogbeat] Data path: [C:\\Program Files\\Winlogbeat\\data] Logs path: [C:\\Program Files\\Winlogbeat\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:26.406+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":897},"message":"Beat metadata path: C:\\Program Files\\Winlogbeat\\data\\meta.json","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-30T12:29:26.411+0200","log.origin":{"file.name":"instance/beat.go","file.line":814},"message":"Beat ID: 8dbbbb47-2410-4c0c-b688-6c72cb8b6d2a","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:26.469+0200","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:26.469+0200","log.logger":"conditions","log.origin":{"file.name":"conditions/conditions.go","file.line":98},"message":"New condition !contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:26.476+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":130},"message":"add_cloud_metadata: starting to fetch metadata, timeout=3s","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:29.480+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":167},"message":"add_cloud_metadata: received disposition for gcp after 3.0020806s. result=[provider:gcp, error=failed requesting gcp metadata: Get \"http://169.254.169.254/computeMetadata/v1/?recursive=true&alt=json\": dial tcp 169.254.169.254:80: i/o timeout, metadata={}]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-04-30T12:29:29.481+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":173},"message":"add_cloud_metadata: received error failed requesting gcp metadata: Get \"http://169.254.169.254/computeMetadata/v1/?recursive=true&alt=json\": dial tcp 169.254.169.254:80: i/o timeout","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:29.485+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":176},"message":"add_cloud_metadata: timed-out waiting for all responses","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:29.486+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/providers.go","file.line":133},"message":"add_cloud_metadata: fetchMetadata ran for 3.0080136s","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-30T12:29:29.487+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:29.487+0200","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":114},"message":"Generated new processors: add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], condition=!contains: map[], add_cloud_metadata={}","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2024-04-30T12:29:29.489+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":97},"message":"Syscall filtering is only supported on Linux","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-30T12:29:29.490+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1332},"message":"Beat info","service.name":"winlogbeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Winlogbeat","data":"C:\\Program Files\\Winlogbeat\\data","home":"C:\\Program Files\\Winlogbeat","logs":"C:\\Program Files\\Winlogbeat\\logs"},"type":"winlogbeat","uuid":"8dbbbb47-2410-4c0c-b688-6c72cb8b6d2a"},"ecs.version":"1.6.0"}}

and the config still works :

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test output
elasticsearch: https://<server_ip>:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: <server_ip>
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.13.2

I just upgraded my ELK to 8.13.2

BUT
by setting the config in HTTP with the latest binPath => not working
with HTTP with the before binPath => working :upside_down_face:
with HTTPS with the before binPath => not working
with HTTPS with the latest binPath => not working

so I stayed with the first binPath, but it's weird that I can use winlogbeat with the .exe and is working perfectly fine, but when I start the service, it's not working.

I though, maybe the name of my file was wrong, so I renamed the file Config_test.yml to winlogbeat.yml because it's the one used by default. and it changed nothing.

So :

  • the .exe works with everything (he doesn't care at all about the binPath I think)
  • the service works only in http with the first binPath

is there an argument that we can add to tell the service to work in HTTPS or something ? Or it should be working with the config I have ?

12

I just found in the logs that I have this :

Process Create: RuleName: - UtcTime: 2024-04-30 10:50:09.054 ProcessGuid: {fb27ab9b-cce1-6630-1242-000000001300} ProcessId: 12468 Image: C:\Program Files\Winlogbeat\winlogbeat.exe FileVersion: 8.11.4 Description: Winlogbeat ships Windows event logs to Elasticsearch or Logstash. Product: Winlogbeat Company: Elastic OriginalFileName: winlogbeat.exe CommandLine: "C:\Program Files\Winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\Winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\Winlogbeat\" --path.data "C:\ProgramData\winlogbeat\" --path.logs "C:\ProgramData\winlogbeat\logs\" -E logging.files.redirect_stderr=true CurrentDirectory: C:\Windows\system32\ User: AUTORITE NT\Système

so I changed the binPath a bit to see if something changed :
"C:\Program Files\Winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\Winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\Winlogbeat\" --path.data "C:\ProgramData\winlogbeat\" --path.logs "C:\ProgramData\winlogbeat\logs\" -E logging.files.redirect_stderr=true
I added a \ at the end of each folder name

but it's not working either.

And I got this error too :
Le dépassement de délai (25000 millisecondes) a été atteint lors de l’attente de la connexion du service winlogbeat
The timeout (25000 milliseconds) was reached while waiting for the winlogbeat service to connect.

13

@fracorbas unfortunately I think we've reached the limit of what I can troubleshoot. I'm going to have another engineer on my team jump in to assist further.

I do want to dig in further though to make sure if there's a bug we get it fixed in the next release.