I am struggling to add custom Windows Event Logs to my Elastic-Agents / my Agent-Policy and make it work. For example I would like to ingest Elasticsearch with Event Logs from the Serverrole Remotedesktopservices, which uses a few different Log-Channels from Microsoft-Windows-TerminalServices.
I am new to the Elastic Stack and started with winlogbeat as a standalone shipper before trying out fleet and elastic-agents. With Winlogbeat I could add custom logs with either xml-queries or just the channel reference with "- name: ..." itself. This does not work with the custom event logs integration and I cannot comprehend why. I got error Logs that say, that the specified channel was not found, which is not correct.
I tried adding just one channel in the Windows Event Logs integration configuration like "Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational" or editing the .yml file in the advanced options like i did with winlogbeat but I receive no logs.
System Metrics and Standard Windows Channel logs from the System Integration are shipped without any issues.
Also I am not quite sure how I can troubleshoot this more. I know with winlogbeat as a standalone shipper there was the option to start the .exe file with the -e parameter to see if any Handles could not start (In case specified log-Channels were not found or something).
Elastic Stack is in Version 7.17.2 as are the Elastic-Agents.
The first thing I would do is to grab a copy of the Agent policy. You'll find the generated config from the winlog integration in there. See Elastic Agent policies | Fleet and Elastic Agent Guide [8.2] | Elastic. The winlog input config should be similar to what Winlogbeat uses. You can share that section here if you'd like. Maybe we can spot a config issue.
Thank you for the help, I appreciate it. Currently I have 1 Agent-Policy for Windows Server with 4 integrations - 3 of them are Custom Windows Event Logs:
Also the following errors of one Agent from the elastic_agent.filebeat dataset from a Windows Server with a NPS and RemoteDesktopGateway Role:
[elastic_agent.filebeat][error] 2 errors: Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config; Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config
[elastic_agent.filebeat][error] Input 'winlog' failed with: input.go:130: input winlog-winlog.winlog-c1e4d4c1-d3f1-49d9-8b6d-1338519d01df failed (id=winlog-winlog.winlog-c1e4d4c1-d3f1-49d9-8b6d-1338519d01df)
failed to open windows event log: The specified Channeln was not found. Check the Channel configuration.
[elastic_agent.filebeat][error] failed applying config blocks: <nil>
So I guess xml Queries from the Windows Event log can not be put as 1:1 copy? I am still not sure why the specified channel for the remotedesktop services are not working.
So my custom integrations with xml-queries for Certificate Services as well as NPS Logs are working fine and the events are send to my index in Elasticsearch. I am still testing with the custom integration for RDP logs and currently my Agent-Policy for those 3 integrations looks as follows:
I am still getting the same error message and I do not understand why to be honest.
14:40:57.556
elastic_agent.filebeat
[elastic_agent.filebeat][error] Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config
14:40:57.556
elastic_agent.filebeat
[elastic_agent.filebeat][error] 3 errors: Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config; Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config; Error creating runner from config: Failed to create new event log. failed unpacking config. 1 error: xml_query cannot be used with 'name' accessing config
14:40:57.557
elastic_agent.filebeat
[elastic_agent.filebeat][error] failed applying config blocks: <nil>
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.