Hi
To diagnose the Winlogbeat Agent service issue (Error 1067: The process terminated unexpectedly), we require comprehensive diagnostic information. Please collect the following logs and data by following the steps below. Noting the exact date and time of the failure will help us correlate log entries with the issue.
Steps to Collect Logs
Locate and Collect Winlogbeat Logs
Check for Winlogbeat logs in:
C:\Program Files\Winlogbeat\logs\winlogbeat.log
C:\ProgramData\Winlogbeat\logs\winlogbeat.log
Confirm the log path in the winlogbeat.yml configuration file (typically in C:\Program Files\Winlogbeat) under the logging section:
yaml
logging:
to_files: true
path: C:\ProgramData\Winlogbeat\logs
files:
name: winlogbeat.log
Collect recent log files, including winlogbeat.log and rotated logs (e.g., winlogbeat-2025-07-09.log). If logs are large, include only those from the time of the issue (e.g., the last 24 hours) and compress them using a tool like 7-Zip.
Collect Windows Event Logs
Open Event Viewer (Win + R, type eventvwr, press Enter).
Navigate to Windows Logs > System.
Filter for events with Source: Service Control Manager and Event ID: 7024 or 7000.
Locate Winlogbeat-related events around the failure time.
Export events: Right-click, select Save Selected Events, and save as an .evtx file. Alternatively, provide screenshots of the event details.
Run Winlogbeat in Debug Mode
Open a Command Prompt as Administrator:
cmd
cd "C:\Program Files\Winlogbeat"
winlogbeat.exe -c winlogbeat.yml -e -d "*" > debug_output.txt 2>&1
Reproduce the issue (e.g., run in foreground or attempt to start the service).
Include the debug_output.txt file in the logs, even if errors occur.
Test Winlogbeat Configuration
Verify the configuration file:
cmd
cd "C:\Program Files\Winlogbeat"
winlogbeat.exe test config -c winlogbeat.yml > config_test.txt 2>&1
If errors are reported, include config_test.txt without modifying winlogbeat.yml.
Check Service Configuration and Permissions
Collect service details:
cmd
sc qc winlogbeat > service_config.txt
Verify permissions:
Open services.msc, locate the Winlogbeat service, and check the Log On tab.
Ensure the service account has:
Full control over C:\Program Files\Winlogbeat and C:\ProgramData\Winlogbeat.
Read access to Windows Event Logs (e.g., Security, System).
Write access to the log output directory.
Test Network Connectivity
Check the output section in winlogbeat.yml (e.g., Logstash at ENERGYLOGSERVER_IP:5044 or Elasticsearch).
Test connectivity:
powershell
Test-NetConnection -ComputerName ENERGYLOGSERVER_IP -Port 5044 > network_test.txt
If PowerShell is unavailable, use telnet ENERGYLOGSERVER_IP 5044 (Telnet may need to be enabled).
Collect System Information
Gather system details:
cmd
systeminfo > system_info.txt
Get-Service winlogbeat | Out-File service_status.txt
Package and Send Logs
Create a ZIP archive containing:
File Description
winlogbeat.log Winlogbeat logs (including rotated logs)
winlogbeat.yml Configuration file
debug_output.txt Debug mode output
config_test.txt Configuration test results
service_config.txt Service configuration details
.evtx files Windows Event Viewer logs
system_info.txt System information
service_status.txt Winlogbeat service status
network_test.txt Network connectivity test results
Share the ZIP file via a secure method (e.g., cloud link or email, as agreed).
Additional Notes
These steps align with standard practices for Winlogbeat and Energy Logserver integration.
Common issues include misconfigured outputs, network connectivity problems, or insufficient permissions. Verify that the output section in winlogbeat.yml matches your Energy Logserver setup.
If any commands fail, include the error messages in the logs. Contact us if you encounter difficulties during log collection.
Please provide the logs as soon as possible to expedite resolution. Thank you for your cooperation.
Regards,
Michal