Hello,

First of all thanks for developing this beats, it is very helpfull.

I'm facing some problems to parse exec.stdout in logstash.

I'm trying to split every newline in stdout as new event, but I'm receiving this error:
[WARN ][logstash.filters.split ] Only String and Array types are splittable. field:exec.stdout is of type = NilClass

it is what I tried in logstash:

filter {
if [type] == "netstat" {
json {
source => "exec.stdout"
}
mutate {
convert => ["exec.stdout", "string"]
}
split {
field => "exec.stdout"
}
}
}

I noticed that exec.stdout is a keyword format.

Could you help me?

Hi,
This is the output.elasticsearch details:
output.elasticsearch:

Array of hosts to connect to.

hosts: ["localhost:9200"]

By default it should create an index in elastic search with execbeat+date
But I am unable to see the index being created.

Regards,
Sunil

Building execbeat fails as of today with the following error:

b.Events undefined (type *beat.Beat has no field or method Events).

It can be built with an old libbeats version (I have used glide.yaml of FLowbeat as described here https://discuss.elastic.co/t/flowbeats-fails-in-go-build/48601 to get an older libbeats).

Should somehow dependencies get versioning in execbeat as well?

Hi,

I was just playing with the beat. It sounds interested.
I download 3.3.0 on Windows and wanted to run the "dir" command.

But it shows exitCode 127.
Is it because "dir" would return a multiline output.
Any idea?

Hi,

I use execbeat to execute my shellscript, which accept multiple arguments. I have my execbeat configuration like;

execbeat:
  execs:
    -
      cron: "@every 5s"
      command: "/shellscripts/test.sh"
      args: "arga argb argc"
      document_type: execbeat
      fields:
        host: 192.168.0.1
        beatname: "beat1"
output.console:
  enabled: true
  pretty: true

my scellscript is very simple, its like;

#!/bin/sh
echo $1

but my ecexbeat always outputs;

arga argb argc

I am expecting only one output arga, how can I do this?

Thank you.

The documentation states that

# Optional cron expression, defines when to execute the command.
# Default is every 1 minute.
#cron:

https://github.com/christiangalsterer/execbeat/blob/master/execbeat.yml

Using this configuration did not schedule any execs. Only after setting the cron value specifically like

cron: "@every 10s"

triggered the execs as expected.

Occurred with execbeat v2.1.1 and v2.2.0 using the amd64.deb package on Linux.

As most people will try first using the provided configuration, you might consider fixing this. It took me a while to figure this out.

Keep up the great work!

thanks a lot

Matthias

hi,

would be possible having the -strict.perms back again??
i am getting the error "flag provided but not defined: -strict.perms"

Thanks.

Hi,

I'm unable to run multiple commands with the following execbeat.yml, as this returns only the last command.

commands:
   # Each - Commands to execute.
   -
     # Optional cron expression, defines when to execute the command.
     # Default is every 1 minute.
     schedule: "@every 2s"

     # The command to execute by Execbeat
     command: date

     # Optional arguments to be passed to the command to execute
     #args: /proc/vmstat 

     # Type to be published in the 'type' field. For Elasticsearch output,
     # the type defines the document type these entries should be stored
     # in. Default: execbeat
     document_type: execbeat

     schedule: "@every 3s"
     command: uptime
     #args: /home/aw110f/execbeat2.sh

output:

{"@timestamp":"2017-04-22T00:06:30.000Z","beat":{"hostname":"vert-dev-node1.ev1.yellowpages.com","name":"vert-dev-node1.ev1.yellowpages.com","version":"3.1.1"},"exec":{"command":"uptime","exitCode":0,"stdout":" 00:06:30 up 134 days, 5:02, 6 users, load average: 0.48, 0.82, 0.78\n"},"fields":{"env":"DEV"},"tags":["vertica","newt","vmstat"],"type":"execbeat"}
{"@timestamp":"2017-04-22T00:06:33.000Z","beat":{"hostname":"vert-dev-node1.ev1.yellowpages.com","name":"vert-dev-node1.ev1.yellowpages.com","version":"3.1.1"},"exec":{"command":"uptime","exitCode":0,"stdout":" 00:06:33 up 134 days, 5:02, 6 users, load average: 0.48, 0.82, 0.78\n"},"fields":{"env":"DEV"},"tags":["vertica","newt","vmstat"],"type":"execbeat"}

Hi,

I am using execbeat execbeat-5.2.1-SNAPSHOT-linux-x86_64 in my CentOS box. I have the configuration like below;

execbeat:

  execs:
	-
	  schedule: "@every 10s"
	  command: date
	  document_type: execbeat

output.console:
  enabled: true
  pretty: true

when I execute this, I am gettting the below output;

bash-4.1$ ./execbeat -c echotest.yml -e -d "*"
2017/02/23 05:15:07.114313 beat.go:267: INFO Home path: [/execbeat/execbeat-5.2.1-SNAPSHOT-linux-x86_64] Config path: [/execbeat/execbeat-5.2.1-SNAPSHOT-linux-x86_64] Data path: [/execbeat/execbeat-5.2.1-SNAPSHOT-linux-x86_64/data] Logs path: [/execbeat/execbeat-5.2.1-SNAPSHOT-linux-x86_64/logs]
2017/02/23 05:15:07.114347 beat.go:177: INFO Setup Beat: execbeat; Version: 3.0.1
2017/02/23 05:15:07.114359 processor.go:43: DBG  Processors:
2017/02/23 05:15:07.114371 beat.go:183: DBG  Initializing output plugins
2017/02/23 05:15:07.114414 outputs.go:106: INFO Activated console as output plugin.
2017/02/23 05:15:07.114426 publish.go:234: DBG  Create output worker
2017/02/23 05:15:07.114471 publish.go:276: DBG  No output is defined to store the topology. The server fields might not be filled.
2017/02/23 05:15:07.114497 publish.go:291: INFO Publisher name: mypc
2017/02/23 05:15:07.114661 async.go:63: INFO Flush Interval set to: 1s
2017/02/23 05:15:07.114673 async.go:64: INFO Max Bulk Size set to: 2048
2017/02/23 05:15:07.114683 async.go:72: DBG  create bulk processing worker (interval=1s, bulk size=2048)
2017/02/23 05:15:07.115033 logp.go:219: INFO Metrics logging every 30s
2017/02/23 05:15:07.115193 beat.go:207: INFO execbeat start running.
2017/02/23 05:15:07.115215 execbeat.go:35: INFO execbeat is running! Hit CTRL-C to stop it.
2017/02/23 05:15:37.115192 logp.go:232: INFO No non-zero metrics in the last 30s
2017/02/23 05:16:07.115270 logp.go:232: INFO No non-zero metrics in the last 30s
^C2017/02/23 05:16:07.796883 service.go:32: DBG  Received sigterm/sigint, stopping
2017/02/23 05:16:07.797013 logp.go:245: INFO Total non-zero values:
2017/02/23 05:16:07.797028 logp.go:246: INFO Uptime: 1m0.686646585s
2017/02/23 05:16:07.797034 beat.go:211: INFO execbeat stopped.

my command is not executing. Why is this happening?

We had previously tested ExecBeat with Elasticsearch 5.x but not 6.x . As I could see that there have been no commits to this repository for past some time. Wanted to check if this is still maintained? And does it support Elasticsearch 6.x ?

I am trying to use this beat.
keep on getting, command not found in %PATH% error.
getting errors on the index template.
".... the final mapping would have more than 1 type: [_doc, doc]

Hello, I would like to ask about command at execs

I am using "echo | openssl s_client -connect xx.xx.com:443 | openssl x509 -noout -dates -subject"

but it's nothing come out as output (Already try using example and can get output normally) .
I would like to know how to fix or how to run pipeline command.

Thank you for the answer

Update to ES 7.x. Focus is to get it running a make mandatory changes. Polishing will be done in a later release.

• Code
• Tests
• Format
• Travis
• README: Include remaining changes from master
• Add compatibility matrix to README
• Fields
• Multi platform build
• Release

Hi,

I tried the following:
command: sometool arg1 arg2
arg:
Error: couldn't fork

command: /usr/bin/bash /full/path/to/script_that_contains_the_above_command_and_args.sh
arg:
Error: couldn't fork

command: /full/path/to/script_that_contains_the_above_command_and_args.sh
arg:
Error: couldn't fork

Finally this worked:
command: sometool
arg: arg1 arg2

I guess I should have tried this first, but the fact that arg parameter is optional threw me off. Could this please be documented in a more elaborate manner (with some examples)?

Thanks!

I'm running powershell for counting active user, this is my Execbeat section which works fine, expect i enable (uncomment) schedule, than i get powershell error each seconds.

############################## Execbeat ########################################
execbeat:

commands:
# Each - Commands to execute.
-
# Optional cron expression, defines when to execute the command.
# Default is every 1 minute.
#schedule: '* */5 * * * *'

  # The command to execute by Execbeat
  command: powershell

  # Optional arguments to be passed to the command to execute
  args: "(get-aduser -property * -Filter {(enabled -eq $true)} ).count "

  # Type to be published in the 'type' field. For Elasticsearch output,
  # the type defines the document type these entries should be stored
  # in. Default: execbeat
  document_type: execbeat

#================================ General =====================================

here is the result and errors after uncommenting the scedule line:

PS C:\TMP\Elastic\execbeat-3.1.1-windows-x86> .\execbeat.exe -c .\execbeat.yml -e
2017/03/31 13:13:57.478460 beat.go:267: INFO Home path: [C:\TMP\Elastic\execbeat-3.1.1-windows-x86] Config path: [C:\TMP
\Elastic\execbeat-3.1.1-windows-x86] Data path: [C:\TMP\Elastic\execbeat-3.1.1-windows-x86\data] Logs path: [C:\TMP\Elas
tic\execbeat-3.1.1-windows-x86\logs]
2017/03/31 13:13:57.479461 beat.go:177: INFO Setup Beat: execbeat; Version: 3.1.1
2017/03/31 13:13:57.480461 output.go:167: INFO Loading template enabled. Reading template file: C:\TMP\Elastic\execbeat-
3.1.1-windows-x86\execbeat.template.json
2017/03/31 13:13:57.481460 output.go:178: INFO Loading template enabled for Elasticsearch 2.x. Reading template file: C:
\TMP\Elastic\execbeat-3.1.1-windows-x86\execbeat.template-es2x.json
2017/03/31 13:13:57.481460 client.go:120: INFO Elasticsearch url: http://localhost:9200
2017/03/31 13:13:57.482460 outputs.go:106: INFO Activated elasticsearch as output plugin.
2017/03/31 13:13:57.482460 publish.go:291: INFO Publisher name: ATWPIT01
2017/03/31 13:13:57.481460 logp.go:219: INFO Metrics logging every 30s
2017/03/31 13:13:57.486460 async.go:63: INFO Flush Interval set to: 1s
2017/03/31 13:13:57.486460 async.go:64: INFO Max Bulk Size set to: 50
2017/03/31 13:13:57.487461 beat.go:207: INFO execbeat start running.
2017/03/31 13:13:57.488461 execbeat.go:35: INFO execbeat is running! Hit CTRL-C to stop it.
2017/03/31 13:14:27.487565 logp.go:232: INFO No non-zero metrics in the last 30s
2017/03/31 13:14:57.487669 logp.go:232: INFO No non-zero metrics in the last 30s
2017/03/31 13:15:04.905187 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:05.491231 client.go:652: INFO Connected to Elasticsearch version 5.2.2
2017/03/31 13:15:05.491231 output.go:214: INFO Trying to load template for client: http://localhost:9200
2017/03/31 13:15:05.492231 output.go:235: INFO Template already exists and will not be overwritten.
2017/03/31 13:15:05.829252 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:07.652380 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:07.653381 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:09.028476 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:11.308635 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:11.560655 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:11.926681 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:13.770809 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:15.648941 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:15.662941 executor.go:88: ERR An error occured while executing command: exit status 1
2017/03/31 13:15:16.272984 logp.go:245: INFO Total non-zero values: libbeat.es.published_and_acked_events=9 libbeat.pub
lisher.published_events=11 libbeat.es.publish.write_bytes=8487 libbeat.publisher.messages_in_worker_queues=11 libbeat.es
.call_count.PublishEvents=7 libbeat.es.publish.read_bytes=2789
2017/03/31 13:15:16.274985 logp.go:246: INFO Uptime: 1m18.7985263s
2017/03/31 13:15:16.275985 beat.go:211: INFO execbeat stopped.

First of all: thank you for providing your software as Debian packages. There is one thing that in probably a bug, however:

From a dpkg/apt perspective the relevant version is not the one encoded in the file name but the one in the debian/control Version field. The execbeat packages contain a version sting like Version: 5.2.1-SNAPSHOT. This is not only a cosmetic issue because with the latest releases it became obvious that this version field does not change unless execbeat has its underlying libbeat version updated.
To clarify: both 3.0.0 and 3.0.1 are version 5.2.1-SNAPSHOT from the Debian perspective.

I would like to propose a different versioning scheme in the control file. I know that versioning schemes are a question of taste, so please take it as it is meant: as a suggestion.

One could simply put 3.0.1 there. But maybe it is a good idea to keep aligned with the major version of the elastic stack, currently 5. According to the debian policy the Version field's upstream version may contain additional characters. How about this: 5+3.0.1? Personally, I would also add the debian revision -1 suffix that makes it possible to release the same upstream version again with -2 if something is wrong with the packaging itself.

The following expressions yield true:

dpkg --compare-versions '5+3.0.1' '>>' '5+3.0.0'
dpkg --compare-versions '5+4.0.0' '>>' '5+3.0.1'
dpkg --compare-versions '6+1.0' '>>' '5+4.0.0'

The last example illustrates that one could even completely change the execbeat versioning scheme when the elastic stack major version changes.

To cut to the chase: there are many possibilities. But the main questions are: can you influence the debian/control file Version field in the context of your packaging process and if so, are you willing to change it?

I would like to ask whether there are any process management capabilities planned. To be more specific I am talking about the following options:

1. Single Instance: when the last spawned subprocess for a certain configured command has not returned yet but the scheduler is due again, do not start another instance of it.
2. Terminate after Timeout: when a subprocess has not returned but the configured timeout has expired send a TERM signal, and after a couple of seconds a KILL signal if necessary.

Of course, these features should be optional and would need to be activated explicitly per configuration. I am aware that I could realize these features myself. The first one is rather easy by using a lock file. The second one is a bit more complicated, probably I would use an intermediate command that would spawn the desired command and clean up on timeout.

But it boils down to the question whether you agree that having these features in execbeat would be a benefit compared to users writing their own code to accomplish these goals.

Hi @christiangalsterer

I get an error while running iptables commands using execbeat.

Error Debug

_2019-04-22T10:42:31Z ERR An error occured while executing command: exec: not started
2019-04-22T10:43:31Z ERR An error occured while executing command: exec: "sudo iptables -A INPUT -m statistic --mode random --probability 0.01 -j DROP": executable file not found in $PATH_

Ansible playbook

I used Ansible in order to install excebeat and its deployed in a docker container:

.....
.....
 - name: EXECBEAT - Donwload my package execbeat-3.3.0-amd64
    get_url : 
     url="https://github.com/christiangalsterer/execbeat/releases/download/3.3.0/execbeat-3.3.0-amd64.deb"
     dest="/etc/execbeat/execbeat-3.3.0-amd64.deb"
    when: stat_result.stat.exists == false

  - name: EXECBEAT - Copy custom template execbeat.yml filename
    copy: src=./setup-files/execbeat.yml dest=/etc/execbeat/execbeat.yml

  - name: EXECBEAT - Install execbeat-3.3.0-amd64.deb
    command: dpkg -i /etc/execbeat/execbeat-3.3.0-amd64.deb
.....
.....

Execbeat.yml

# location /etc/filebeat/

# Custom fields
# BEGIN -- Execbeat custom fields configured by Ansible
fields:
  exeusc: "EXECBEAT"
  component: "EIM"
  stream: "##stream-execbeat##"
fields_under_root: true
# END -- Execbeat custom fields configured by Ansible

# Execbeat
# BEGIN -- ############################ Execbeat ############################
execbeat:
  commands:
  - 
    # The command to execute by Execbeat
    command: sudo iptables -A INPUT -m statistic --mode random --probability 0.01 -j DROP
# END -- ############################ Execbeat ############################

logging:
    level: error
    files:
      path: "/tmp/beats/logs"
      name: execbeat_error.log
      rotateeverybytes: 2048
      keepfiles: 7

# Logstash output
# BEGIN -- ############################ Logstash output ############################
output.logstash:
  hosts: ["172.18.0.4:5044"]
# END -- ############################ Logstash output ############################

Could be a possible Go bug ?
https://stackoverflow.com/questions/44786643/exec-executable-file-not-found-in-path

Details: Image Linux dcd33f5897c8 4.15.0-47-generic #50~16.04.1-Ubuntu SMP Fri Mar 15 16:06:21
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Contact: [email protected]

Thanks
Fernando -

execbeat:

commands:
# Each - Commands to execute.
-
# Optional cron expression, defines when to execute the command.
# Default is every 1 minute.
#schedule:

  # The command to execute by Execbeat
  command: avro-tools

  # Optional arguments to be passed to the command to execute
  args: tojson /tmp/testfile.avro

  # Type to be published in the 'type' field. For Elasticsearch output,
  # the type defines the document type these entries should be stored
  # in. Default: execbeat
  #document_type:

.. out put:
"exec": {
"command": "avro-tools",
"exitCode": 0,
"stdout": ""
},
"type": "execbeat

I downloaded the exec beat rpm. It seems it is not doing any commands. I tired changing the exec o commands due to previous issue i read but still no luck. Any suggestions? I am just doing basic date command sending to ES.

Hi,
I'm trying to use execbeat with ES7.*.
I know, this is not officially supported but I need it eagerly.
I receive following error:
2020/10/18 16:05:48.429281 client.go:447: WARN Can not index event (status=400): {"type":"illegal_argument_exception","reason":"Rejecting mapping update to [execbeat-2020.10.18] as the final mapping would have more than 1 type: [_doc, doc]"}
Can you give me a hint what may be the problem ?
Thanks a lot

Hello,
For a question , When I try to start execbeat by way of service in windows,I can't get right result but "ERR An error occured while executing command: exit status 2" , then I change the style of args in execbeat.yml from RelativePath to AbsolutePath , I get the right result. example:
[ schedule: 0/1 * * * * ?
command: python
args: ip.py/
] "ERR An error occured while executing command: exit status 2"
BUT
[schedule: 0/1 * * * * ?
command: python
args: D:\zork2.2.1\BDAgent\release\3rdPlugins\doubowen\testserver\ip.py
] this way is right .I get right result.

the problem is that I must use RelativePath in my project .How can I do?
Thank you very much.

Hi Christian,

I am looking dynamic insertion/deletion of commands in execbeat.yml file. That is when I add execbeat.yml in initial build it may not have exhaustive list of commands. But when needed i should be able to add/delete a new set of commands to execbeat.yml.

Is it possible as of now?

With Best wishes,
Veera

Hey,

I am using Execbeat to do different commands, I would like to use the exec.exitCode as a Number and not as a string thereby giving me the ability to add visualization using the field as a number.

I tried playing with the template changing the field from string to number but nothing worked.
Any idea how to change the fields to number? or to change the template in a way that when I add the index in will be mapped as a number?

Thank you.

Pressing ctrl+c gives an ugly stack trace except a proper shutdown.

Hi ,
I am using execbeat to get status of my linux services. I am using "bash" command and in argument i am passing the service status command like this:

execbeat:
commands:
-
schedule: "@every 10s"
command: bash
args: service execbeat status
document_type: "service_status"

output.console:
enabled: true
pretty: true

execbeat output is :

"exec": {
"command": "bash",
"stderr": "bash: service execbeat status: No such file or directory\n",
"stdout": ""
}

It is expecting a file path in argument.
How can I execute the bash command without passing file path as an argument ?

Thank You.

Hi ,

I am running a batch file in execbeat . Output looks like below .

Siebel Enterprise Applications Siebel Server Manager, Version 16.19.0.0 [23057] LANG_INDEPENDENT
Copyright (c) 2008,2016, Oracle. All rights reserved.

The Programs (which include both the software and documentation) contain
proprietary information; they are provided under a license agreement containing
restrictions on use and disclosure and are also protected by copyright, patent,
and other intellectual and industrial property laws. Reverse engineering,
disassembly, or decompilation of the Programs, except to the extent required to
obtain interoperability with other independently created software or as specified
by law, is prohibited.

Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of
Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.

If you have received this software in error, please notify Oracle Corporation
immediately at 1.800.ORACLE1.

Type "help" for list of commands, "help " for detailed help

Connected to 13 server(s) out of a total of 13 server(s) in the enterprise

srvrmgr> list comp show SV_NAME,CC_ALIAS,CP_DISP_RUN_STATE,CP_STARTMODE,CP_NUM_RUN_TASKS,CP_MAX_TASKS,CC_NAME order by CP_DISP_RUN_STATE

SV_NAME CC_ALIAS CP_DISP_RUN_STATE CP_STARTMODE CP_NUM_RUN_TASKS CP_MAX_TASKS CC_NAME

D1220001027A FSMSrvr Online Auto 0 20 File System Manager
D1220001027A ServerMgr Running Auto 4 20 Server Manager
D1220001027A SRBroker Running Auto 29 100 Server Request Broker
D1220001027A SRProc Running Auto 2 20 Server Request Processor
D1220001027A SvrTaskPersist Running Auto 1 1 Server Task Persistance
D1220001027A SCBroker Running Auto 2 2 Siebel Connection Broker
D1220001027A SvrTblCleanup Shutdown Manual 0 1 Server Tables Cleanup
D1220001030A CACWfProcMgrPE Online Auto 0 20 CAC Workflow Process Manager Process Engine
D1220001030A FSMSrvr Online Auto 0 20 File System Manager
D1220001030A SFMWfProcMgrPE Online Auto 0 20 SFM Workflow Process Manager Process Engine
D1220001030A ServerMgr Running Auto 4 20 Server Manager

Execbeat sending this whole info as single line to logstash , Is there any way that Execbeat can send data line by line separately considering each line as a seperate doc ?

Thanks in Advance
Saravana S

Hello,

When trying to run a reg query command with execbeat, I am running into an issue were no matter how I try to escape the registry key with & and a white space in the path, the line is not being parsed correctly.

I see two issues, one with the command and one with the args.

The issue with the command line in the execbeat.yml
commands:
schedule: 10 * * * *
command: cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here'
args: /s
When checking the yaml file, the above lines are being parsed as:
commands:
args: /s
command: "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here'"
schedule: "10 * * * *"

However, the output when ran errors with the following.
{
"@timestamp": "2017-03-28T15:27:10.000Z",
"beat": {
"hostname": "somecomputer",
"name": "somecomputer",
"version": "3.1.1"
},
"exec": {
"command": "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key\u0026stuff here'",
"exitCode": 0,
"stdout": ""
},
"type": "execbeat"
}

As you can see the & is getting parsed as \u0026. This happens with either single or double quotes.

To try and work around this issue, I modified the execbeat.yml file with the following:
execbeat:
commands:
schedule: 10 * * * *
command: cmd
args: /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here' /s

When executing the execbeat with this, I get the following error:
{
"@timestamp": "2017-03-28T15:42:10.000Z",
"beat": {
"hostname": "somecomputer",
"name": "somecomputer",
"version": "3.1.1"
},
"exec": {
"command": "cmd",
"exitCode": 1,
"stderr": "ERROR: Invalid key name.\r\nType "REG QUERY /?" for usage.\r\n'stuff' is not recognized as an internal
or external command,\r\noperable program or batch file.\r\n",
"stdout": ""
},
"type": "execbeat"

I have tried both single and double quoting the args options to no avail.

I believe this to be a bug in how execbeat is parsing the YAML file's command and args lines.

I am using (the otherwise great!) execbeat on windows (server 2008 R2 standard) and see execbeat not flushing the file to disk properly (stalling for 3+ hours in my case now). I have a filebeat picking up execbeat's logs but it will force close the logfile if inactive for n seconds (which it definitely is).
Any thoughts? Perhaps this can help? Many thanks!
PS to be even more specific I can see the exebeat log file size change (grow), but the date modified shown by windows explorer stays the same

With execbeat version 3.1.1 on GNU/Linux exit code zero is being returned if the configured command cannot be found.

The log file contains an appropriate error message but in the produced document the exitCode suggests success:

  "exec": {
    "command": "FILE",
    "exitCode": 0,
    "stdout": ""
  },

Please consider producing code 127 in this case because this will help to recognise the problem's cause. Thank you.

This would be a neat way to handle multiline in a docker environment by wrapping apps that are not logstash-aware in this beat, handling multiline and sending the results on to Docker. Please consider integrating something equivalent to the multiline plugin.

There's a typo on the README.

Starting Execbeat as Service
Where supported Execbeat can be started also using the respetive service scripts, e.g. etc/init.d/execsbeat.

Should be /etc/init.d/execbeat.