WinLogBeat sidecar error "Failed to get registered services. Skipping clean up. Access is denied"

Environment: Graylog is setup and running well. Sidecars on Windows machines reporting with winlogbeats. All working.We usually use Action1 for new machines but putting this on a unique server.

I have just installed sidecar 1.0.2-1 (newest version did not work correctly, 1.0.2 is the same version as the rest of the network and it works). Gave modify permission to the directory where it was installed to Users and System. (cleared the error on previous machine)
Sidecar would now show in Graylog but winlogbeat sidecar was failing. Stop and start winlogbeat sidecar. Still would fail, no messages in graylog from target.
In order for this setup to start pushing messages I ended up stopping / uninstalling the service then reinstalled the service via cmd line, the exact command below.

"C:\Program Files\Graylog\graylog-sidecar.exe" - service stop 
"C:\Program Files\Graylog\graylog-sidecar.exe" - service uninstall
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

Now graylog will show messages from the target but I still see the error:
“Time xxxxx level=warning msg=“Failed to get registered services. Skipping clean up. Access is denied””

It appears that this is a permissions issue but for what?

Graylog 4.0.16
Sidecar 1.0.2
Target machine: Win server 2012R2

server_url: "URL verified to work / same as other machines"
server_api_token: "secret token verified to match Graylog API"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: true
send_status: true

Any help is useful, thank you!

Hello && welcome @james.sawyer

The newest is 1.1.0

If you cannot create a service on Windows that tells me it maybe a permission issue.
I’m not sure if your running PowerShell as a Administrator.

I think this post may help.

You have correctly surmised that I am not using the newest sidecar; reason is because I am running an older Graylog (as stated).
I did not have any issues installing or starting services.
In fact the machine is pushing messages to graylog via the sidecar without issue but I still see this error when I run the graylog-sidecar.exe
Im tempted to just let it be if it is working fine. I also really want to know what this error means in case it will affect the function.


I you referring to this error?

This is the error:
“Time xxxxx level=warning msg=“Failed to get registered services. Skipping clean up. Access is denied””

Graylog is receiving and processing messages as it should.
Both “Graylog Sidecar” and “…collector” service is installed and working.
Whats with the error?


I just told you. When it states…

Access is denied is a permission issue.

Access denied = Permission issue. Got that.
But permission to what?


This would be on Windows device. To avoid that error, the user needs to run the installation for creating the GL Sidecar service commands in Administrator Privileges mode. That error is tell you it can not create a service because of Privileges.

It could also mean that in this environment there is a GPO that prevents user/s or software from creating a service.

Sidecar was installed with Domain Admin. CMD was run as ADMIN. I did NOT have any issues creating the services, I did uninstall and reinstall as part of troubleshooting.


My apologies, I get it now.
So Winlogbeat is creating this message, is this correct?

Does Winlogbeat configuration look something like this below in your Graylog’s System/Sidecar Web UI?

If it does, then I would look into the Event Viewer on Windows Server 2012 under Windows logs Section to see if you can find any issues that pertain to Graylog Sidecar or Winlogbeat having denied access to registered service/s.

If this was done already perhaps Run a troubleshooter on windows for this app, maybe get some more details on this issue.

Not sure if you tried running SFC /SCANNOW ?

Since this is windows have you tried rebooting?

From what I get out of this message is Winlogbeat service is unable to access registered services. Without more details on this environment its hard to tell what’s going on.
Windows is denying access to registered services.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.