Hello,
I've downloaded, extracted, and renamed the latest Winlogbeat to the following folder: C:\Program Files\Elastic\Beats\Winlogbeat
I've corrected the install-service-winlogbeat.ps1to reflect the correct data folder C:\Program Files\Elastic\Beats\Winlogbeat\data as that is where the create keystore command places the keystore (have not actually created the keystore at this point)
Opened POSH as admin, ran the install-service-winlogbeat.ps1 - no errors, the service is stopped.
Created a keystore for my CloudID and cloud auth and saw it appear in the data folder.
.\winlogbeat.exe test config: Config OK
C:\Program Files\Elastic\Beats\Winlogbeat> .\winlogbeat.exe test output
elasticsearch: REDACTED
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: REDACTED
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.6.0
I receive the following error when attempting to start the service.
`C:\Program Files\Elastic\Beats\Winlogbeat> Start-Service winlogbeat
Start-Service : Failed to start service 'winlogbeat (winlogbeat)'.
At line:1 char:1
- Start-Service winlogbeat
-
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service], Ser viceCommandException + FullyQualifiedErrorId : StartServiceFailed,Microsoft.PowerShell.Commands.StartServiceCommand`
Running in the foreground successfully published events:
C:\Program Files\Elastic\Beats\Winlogbeat> .\winlogbeat.exe -c winlogbeat.yml -e -v -d "*"
Despite the service failing to start, here is the entry from the logs that seem to indicate it believes winlogbeat is actually running:
2020-03-24T10:28:26.614-0400 INFO [publisher] pipeline/module.go:110 Beat name: winlogbeat 2020-03-24T10:28:26.614-0400 INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\Elastic\Beats\Winlogbeat\data\.winlogbeat.yml 2020-03-24T10:28:26.627-0400 WARN [cfgwarn] registered_domain/registered_domain.go:60 BETA: The registered_domain processor is beta. 2020-03-24T10:28:26.628-0400 INFO elasticsearch/client.go:174 Elasticsearch url: REDACTED 2020-03-24T10:28:26.628-0400 INFO instance/beat.go:439 winlogbeat start running. 2020-03-24T10:28:26.628-0400 INFO [monitoring] log/log.go:118 Starting metrics logging every 30s 2020-03-24T10:28:26.766-0400 WARN [cfgwarn] registered_domain/registered_domain.go:60 BETA: The registered_domain processor is beta.
But the service isn't actually running.
C:\Program Files\Elastic\Beats\Winlogbeat> get-service winlogbeat
Status Name DisplayName
Stopped winlogbeat winlogbeat
Any help is appreciated. I'm out of ideas for what to try at this point.
Why would it work in the foreground and not as a service?
What can I do?