Error Starting Sidecar Service on Windows

Did a clean registry fix things?

If you can run it from command line - try setting the service to run under the same account and start/restart it. If it still fails, did anything show up in the application/security/system logs on the server that might give more information as to why? Carbon Black would block new service creation or might mess it up when you run the service installer:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start
1 Like

tgarons,
Carbon Black is what we use, CB didn’t indicate it was blocking anything but once I set the policy to bypass “C:\Program Files\Graylog\sidecar**,” my life got better.

1 Like

Thank you very much—setting up the bypasses for both sidecar and collector-sidecar did the trick.

2 Likes

I went ahead and did the same thing (added bypass in Carbon Black) but I’m still not able to get the graylog-sidecar to start via the service.
I can start it interactively via the command line. It doesn’t even log anything in the sidecar logs when attempting to start via the service. I just get the error 1067 service terminated unexpectedly.
Anyone have any ideas on any other troubleshooting methods I’m not using here?

Are there logs in Carbon Black that let you know when an application was allowed ( or not allowed) to run? Check to see if the sidecar AND the sidecar-collector services were specifically allowed…

1 Like

I don’t have any indication it’s being terminated by Carbon Black but wanted to go ahead and put the exclusion in to remove that from being part of the issue. I see the logs and see that graylog-sidecar.exe is now “company_whitelist”.

If you are running winlogbeat, (or maybe nxlog?) that needs to be whitelisted too: also possible that if they weren’t whitelisted before installation that the installation didn’t complete properly.

1 Like

I’ll reinstall and post results. Thank you for that!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.