Winlogbeat suddenly stop when started - Windows 2003 64-bit

Hi There,
I got the winlogbeat suddenly stop when I run the service. See in my system log said.
ID: 7034

The winlogbeat service terminated unexpectedly. It has done this 3 time(s).
I run winlogbeat in version 6.1.1 on windows 2k3 64bit sp2 terminal server role, It’s worked another 2k3 machine.
But! I try to run on .\winlogbeat.exe -e -c .\winlogbeat.yml command line it’s worked winlogbeat could shipping the log. Not working with windows service.
Please help,
Thank you.

can you share the winlogbeat logs from when it’s running as a service?

Can I share with you with a private message? I enabled log to debug mode.

Yes, share the logs via private message

Here link for the log

Sorry for the delay.
Thank you.

We’ve been working on a fix for a similar issue encountered with Windows 2003.
Can you try this binary (built against current development code) to see if the problem is gone?

Great, it worked on windows 64bit. for your link is possible on 32bit?

Here’s the 32 bit version:

Got the error message from installation base on winlogbeat 5.6.7 32bit. windows services suddenly stop. I capture this log from winlogbeat.
2018-02-06T12:10:31+07:00 DBG Disable stderr logging

2018-02-06T12:10:31+07:00 INFO Metrics logging every 30s

2018-02-06T12:10:31+07:00 INFO Home path: [C:\Program Files\winlogbeat] Config path: [C:\Program Files\winlogbeat] Data path: [C:\ProgramData\winlogbeat] Logs path: [C:\Program Files\winlogbeat\logs]

2018-02-06T12:10:31+07:00 INFO Setup Beat: winlogbeat; Version: 5.6.8

2018-02-06T12:10:31+07:00 DBG Processors:

2018-02-06T12:10:31+07:00 DBG Initializing output plugins

2018-02-06T12:10:31+07:00 INFO Loading template enabled. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template.json

2018-02-06T12:10:31+07:00 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template-es2x.json

2018-02-06T12:10:31+07:00 INFO Loading template enabled for Elasticsearch 6.x. Reading template file: C:\Program Files\winlogbeat\winlogbeat.template-es6x.json

2018-02-06T12:10:31+07:00 INFO Elasticsearch url: http://elk:9200

2018-02-06T12:10:31+07:00 INFO Activated elasticsearch as output plugin.

2018-02-06T12:10:31+07:00 DBG Create output worker

2018-02-06T12:10:31+07:00 DBG No output is defined to store the topology. The server fields might not be filled.

2018-02-06T12:10:31+07:00 INFO Publisher name: FILECENTER2

2018-02-06T12:10:31+07:00 INFO Flush Interval set to: 1s

2018-02-06T12:10:31+07:00 INFO Max Bulk Size set to: 50

2018-02-06T12:10:31+07:00 DBG create bulk processing worker (interval=1s, bulk size=50)

2018-02-06T12:10:31+07:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat.winlogbeat.yml

2018-02-06T12:10:31+07:00 DBG Using highest priority API, wineventlog, for event log Application

2018-02-06T12:10:31+07:00 DBG Initialized EventLog[Application]

2018-02-06T12:10:31+07:00 DBG Using highest priority API, wineventlog, for event log Security

2018-02-06T12:10:31+07:00 DBG Initialized EventLog[Security]

2018-02-06T12:10:31+07:00 DBG Using highest priority API, wineventlog, for event log System

2018-02-06T12:10:31+07:00 DBG Initialized EventLog[System]

2018-02-06T12:10:31+07:00 INFO winlogbeat start running.

2018-02-06T12:10:31+07:00 DBG Windows is interactive: false

2018-02-06T12:10:31+07:00 INFO Total non-zero values: uptime={“server_time”:“2018-02-06T05:10:31.1201054Z”,“start_time”:“2018-02-06T05:10:31.0470981Z”,“uptime”:“73.0073ms”,“uptime_ms”:“73007”}

2018-02-06T12:10:31+07:00 INFO Uptime: 85.0048ms

2018-02-06T12:10:31+07:00 INFO winlogbeat stopped.

2018-02-06T12:10:31+07:00 CRIT Exiting: yaml: control characters are not allowed
Also, I got message when I run .\winlogbeat.exe -e -c winlogbeat.yml
2018/02/06 05:09:34.393757 client.go:447: WARN Can not index event (status=400):

{“type”:“illegal_argument_exception”,“reason”:“Rejecting mapping update to [win

logbeat-2018.02.05] as the final mapping would have more than 1 type: [eventlogg

ing, doc]”}
Thank you.

Is Winlogbeat still in this state? Can you zip up the registry file and share it (zipping we help ensure the binary data of the file is preserved)? Also can you share the configuration that you are using for Winlogbeat.
In order to resolve this issue you will need to delete the registry file (which according to the log is at C:\ProgramData\winlogbeat.winlogbeat.yml). This may have been caused by a previous Winlogbeat crash. Hopefully it doens’t happen again now that the crash has been fixed.

This issue is caused by the removal of types in 6.x. Sounds like you probably have multiple versions of Winlogbeat writing to the same index. One workaround would be to write the events to a versioned index (which is defeault in Beats 6.x) by setting output.elasticsearch.index: winlogbeat-5.6.8-%{+yyyy.MM.dd}.

Yep, I realised I’ve sent conflicting versions. The 64bit is built from master while the 32bit is 5.6.7.

This is a 32bit version of the current code in master plus the fix:

For the fix 32bit version is winlogbeat 5.x and for fix 64bit is 7.x-alpha right.
and for 5.x index, I should create the separation of the 6.x index?

Did you try the new binary I sent you in my last message? It is supposed to be 7.x-alpha (which is the same winlogbeat as 6.2) plus the fix.

Yes, It’s worked. now I can get the logs from the error machines.
Thanks for helping.

This topic was automatically closed after 21 days. New replies are no longer allowed.