A case of Filebeat Error-Removal Case under Windows, please check it.
Problem Description:
Filebeat Agent service under Windows Server can not start normally, which results in the failure of network data processing and affects the use of large-scale user networks.
The error reporting information is as follows:
Look at the corresponding log file. The log information is as follows:
2019-03-04T11:38:14+08:00 INFO Home path: [C:\Program Files\Filebeat] Config path: [C:\Program Files\Filebeat] Data path: [C:\\ProgramData\\filebeat] Logs path: [C:\Program Files\Filebeat\logs] 2019-03-04T11:38:14+08:00 INFO Setup Beat: filebeat; Version: 5.1.2 2019-03-04T11:38:14+08:00 INFO Max Retries set to: 3 2019-03-04T11:38:14+08:00 INFO Activated logstash as output plugin. 2019-03-04T11:38:14+08:00 INFO Publisher name: "server name" 2019-03-04T11:38:14+08:00 INFO Flush Interval set to: 1s 2019-03-04T11:38:14+08:00 INFO Max Bulk Size set to: 2048 2019-03-04T11:38:14+08:00 INFO filebeat start running. 2019-03-04T11:38:14+08:00 INFO Registry file set to: C:\ProgramData\filebeat\registry 2019-03-04T11:38:14+08:00 INFO Loading registrar data from C:\ProgramData\filebeat\registry 2019-03-04T11:38:14+08:00 ERR Error decoding old state: invalid character '\x00' looking for beginning of value 2019-03-04T11:38:14+08:00 INFO Total non-zero values: 2019-03-04T11:38:14+08:00 INFO Uptime: 42.0006ms 2019-03-04T11:38:14+08:00 INFO filebeat stopped. 2019-03-04T11:38:14+08:00 CRIT Exiting: Could not start registrar: Error loading state: Error decoding states: invalid character '\x00' looking for beginning of value
Environment (software/hardware):
Windows Server 2016 ,Filebeat 5.1.2
Reason analysis:
Filebeat Agent registration service information can not be loaded properly due to patch updating, system reboot, service process interruption, user rights, service directory permission adjustment and so on.
1. Looking at the current server system log, we found a large number of filebeat service accidental stop error, event ID 7000, 7034:
At this time, we check whether the system has abnormal log information according to the content guidance, and find that there is an accidental shutdown operation in a certain period of time, as follows:
2. View the log information of filebeat corresponding to logs, directory location: C: ProgramData filebeat Logs:
The default log file records the entire filebeat installation configuration and other information. The following error messages are found:
INFO Loading registrar data from C:\ProgramData\filebeat\registry
ERR Error decoding old state: invalid character '\x00' looking for beginning of value
INFO Total non-zero values:
During this period, I tried to uninstall and reinstall the filebeat agent, and found that the service could not be restarted.
Solution steps:
1. We check the file setup path file changes according to the error message content and find that unloading the file setup by default through the power shell does not delete the registration information of C: Program Data filebeat registry; here we try to delete the directory information of C: Program Data filebeat directly;
2. Reinstall the filebeat Agent and restart the corresponding filebeat service. No exception is found and the background is back to normal. (PS. Because of the first time to resume business, some content is not on file, and can only be supplemented by screenshots after the resumption of service, please be informed. )
Note: The production environment suggests monitoring the core business and core services, and paying attention to the corresponding log file storage directory, setting the size of Logs files, etc. to anticipate and avoid unnecessary business downtime in advance.