Had Elastic agent 8.4 running consuming windows events using the System integration and the ingest stops with this warning showing right before the ingest stops:
I am really keen to know what can be done to debug it further.
Error document:
agent.type: filebeat
agent.version: 8.4.1
data_stream.dataset: elastic_agent.filebeat
data_stream.namespace: windows
data_stream.type: logs
ecs.version: 8.0.0
WinEventLog[winlog-system.security-33773421-0947-4529-9336-2e720922b49a] EventHandles returned error The parameter is incorrect.
log.origin.file.name: eventlog/wineventlog.go
host.os.family: windows
host.os.kernel: 10.0.17763.3532 (WinBuild.160101.0800)
host.os.name: Windows Server 2019 Datacenter
host.os.platform: windows
host.os.type: windows
host.os.version: 10.0
input.type: filestream
log.file.path: C:\Program Files\Elastic\Agent\data\elastic-agent-8d7885\logs\default\filebeat-20221126-10.ndjson
log.level: warn
Additional messages preceding this event:
"message": "Input 'winlog' failed with: input.go:130: input winlog-system.security-33773421-0947-4529-9336-2e720922b49a failed (id=winlog-system.security-33773421-0947-4529-9336-2e720922b49a) The parameter is incorrect."
"message": "Error occured while reading from Windows Event Log 'winlog-system.security-33773421-0947-4529-9336-2e720922b49a': The parameter is incorrect."
The issue is very intermittent, so I am a bit reluctant to leave the debug running for long periods of time.