Elastic Agent System integration not collecting Windows Event Log

username11 · December 2, 2022, 9:00am

Hi. I am testing Elastic Agent (v8.0.1) + Fleet (v.8.5.2), and I'm currently having a problem with collecting Windows Event Log on a test machine. I have set up the agent and it does connect to Fleet and Elasticsearch, and it seems to be collecting metrics just fine - however, Windows Event Logs do not appear in agent dashboard, and, in fact, don't seem to be collected at all.

My understanding is that Windows Event Log collection is supposed to be working out of the box with System integration without any additional configuration (I've confirmed that the checkmarks to collect these logs are set in the policy) - in fact, trying to add a Windows integration shows a tip that the default logs were moved to the System integration. I do not see any errors in agent, Filebeat, Fleet or Elasticsearch logs (see below) that could be related.

From what I can see in the policy, Windows log collection is set up in Filebeat (it seems to have corresponding inputs in the configuraion), but I could not find anything related to Windows log collection in Filebeat documentation (as far as I know, Winlogbeat is recommended for this log type), and its own configuration (in data\elastic-agent-*\install\filebeat-*) does not seem to have anything related to Windows:

filebeat.yml only has /var/log/*.log in filebeat.inputs[].paths.
All modules in modules.d/ are marked as .disabled.

Does anyone know how else I can troubleshoot this?

Log and configuration dump follows.

Agent policy:

PS C:\Program Files\Elastic\Agent\data\elastic-agent-6e9dd4> .\elastic-agent.exe inspect
agent:
  download:
    source_uri: https://fleet001.local/downloads/
  monitoring:
    enabled: true
    logs: true
    metrics: true
    namespace: default
    use_output: default
fleet:
  hosts:
  - https://fleet001.local:8220
  - https://fleet002.local:8220
id: 3d7189c0-7165-11ed-8ad5-05f1cd72147f
inputs:
- data_stream:
    namespace: default
  id: logfile-system-9fe3cf65-fae1-488a-a206-e404586865bf
  meta:
    package:
      name: system
      version: 1.20.4
  name: system-1 (copy)
  package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
  revision: 1
  streams:
  - data_stream:
      dataset: system.auth
      type: logs
    exclude_files:
    - .gz$
    id: logfile-system.auth-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    multiline:
      match: after
      pattern: ^\s
    paths:
    - /var/log/auth.log*
    - /var/log/secure*
    processors:
    - add_locale: null
    tags:
    - system-auth
  - data_stream:
      dataset: system.syslog
      type: logs
    exclude_files:
    - .gz$
    id: logfile-system.syslog-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    multiline:
      match: after
      pattern: ^\s
    paths:
    - /var/log/messages*
    - /var/log/syslog*
    processors:
    - add_locale: null
  type: logfile
  use_output: default
- data_stream:
    namespace: default
  id: winlog-system-9fe3cf65-fae1-488a-a206-e404586865bf
  meta:
    package:
      name: system
      version: 1.20.4
  name: system-1 (copy)
  package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
  revision: 1
  streams:
  - condition: ${host.platform} == 'windows'
    data_stream:
      dataset: system.application
      type: logs
    id: winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    name: Application
  - condition: ${host.platform} == 'windows'
    data_stream:
      dataset: system.security
      type: logs
    id: winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    name: Security
  - condition: ${host.platform} == 'windows'
    data_stream:
      dataset: system.system
      type: logs
    id: winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    name: System
  type: winlog
  use_output: default
- data_stream:
    namespace: default
  id: system/metrics-system-9fe3cf65-fae1-488a-a206-e404586865bf
## SKIPPED ##
  type: system/metrics
  use_output: default
output_permissions:
  default:
    _elastic_agent_checks:
      cluster:
      - monitor
    _elastic_agent_monitoring:
      indices:
      - names:
        - logs-elastic_agent.apm_server-default
        privileges:
        - auto_configure
        - create_doc
## SKIPPED ##
        privileges:
        - auto_configure
        - create_doc
    9fe3cf65-fae1-488a-a206-e404586865bf:
      indices:
      - names:
        - logs-system.auth-default
        privileges:
        - auto_configure
        - create_doc
## SKIPPED ##
      - names:
        - metrics-system.uptime-default
        privileges:
        - auto_configure
        - create_doc
outputs:
  default:
    api_key: ##REDACTED##
    hosts:
    - https://elasticsearch.local:9200
    ssl:
      ca_trusted_fingerprint: ##REDACTED##
    type: elasticsearch
revision: 8

Output settings:

PS C:\Program Files\Elastic\Agent\data\elastic-agent-6e9dd4> .\elastic-agent.exe inspect output --output default
[default] filebeat:
filebeat:
  inputs:
##SKIPPED (Unix logs)##
  - id: winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    index: logs-system.application-default
    meta:
      package:
        name: system
        version: 1.20.4
    name: Application
    package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
    processors:
    - add_fields:
        fields:
          dataset: system.application
          namespace: default
          type: logs
        target: data_stream
    - add_fields:
        fields:
          dataset: system.application
        target: event
    - add_fields:
        fields:
          id: 536071d7-42dd-487d-a5c5-2db42ffd4937
          snapshot: false
          version: 8.0.1
        target: elastic_agent
    - add_fields:
        fields:
          id: 536071d7-42dd-487d-a5c5-2db42ffd4937
        target: agent
    revision: 1
    type: winlog
  - id: winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    index: logs-system.security-default
    meta:
      package:
        name: system
        version: 1.20.4
    name: Security
    package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
    processors:
    - add_fields:
##SKIPPED##
    revision: 1
    type: winlog
  - id: winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf
    ignore_older: 72h
    index: logs-system.system-default
    meta:
      package:
        name: system
        version: 1.20.4
    name: System
    package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
    processors:
    - add_fields:
##SKIPPED##
    revision: 1
    type: winlog
output:
  elasticsearch:
    api_key: ##REDACTED##
    hosts:
    - https://elasticsearch.local:9200
    ssl:
      ca_trusted_fingerprint: ##REDACTED##

---
[default] metricbeat:
metricbeat:
##SKIPPED##
output:
  elasticsearch:
    api_key: ##REDACTED##
    hosts:
    - https://elasticsearch.local:9200
    ssl:
      ca_trusted_fingerprint: ##REDACTED##

---
[default] FLEET_MONITORING:
agent:
  monitoring:
    enabled: true
    logs: true
    metrics: true
    namespace: default
    use_output: default
monitoring_checksum: 4e9c99f9103a48e71155b7da1fbf5557
output:
  elasticsearch:
    api_key: ##REDACTED##
    hosts:
    - https://elasticsearch.local:9200
    ssl:
      ca_trusted_fingerprint: ##REDACTED##
    type: elasticsearch
programs:
- filebeat
- metricbeat

Excerpt from logs\elastic-agent-YYYYMMDD-*.ndjson:

{"log.level":"info","@timestamp":"2022-12-02T08:06:07.232Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detecting execution mode","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:07.235Z","log.origin":{"file.name":"application/application.go","file.line":92},"message":"Agent is managed by Fleet","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:07.235Z","log.origin":{"file.name":"capabilities/capabilities.go","file.line":59},"message":"capabilities file not found in C:\\Program Files\\Elastic\\Agent\\capabilities.yml","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.834Z","log.logger":"composable.providers.docker","log.origin":{"file.name":"docker/docker.go","file.line":43},"message":"Docker provider skipped, unable to connect: protocol not available","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.865Z","log.origin":{"file.name":"store/state_store.go","file.line":327},"message":"restoring current policy from disk","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.890Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is 9yqws3b-","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.890Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:12.572Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:13.127Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:13+03:00 - message: Application: metricbeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:18.445Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:18.626Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:18+03:00 - message: Application: filebeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.439Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.622Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:20+03:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.803Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.259Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.265Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:21+03:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.277Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is mVn-ZDJn","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.277Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.413Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.413Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.544Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.544Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.872Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.872Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.989Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.989Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.991Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.origin":{"file.name":"application/managed_mode.go","file.line":290},"message":"Agent is starting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\elastic-agent (configured: npipe:///elastic-agent)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:24.385Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:24+03:00 - message: Application: metricbeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:25.428Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:25+03:00 - message: Application: filebeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:27.359Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:27+03:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:29.819Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:29+03:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}

Excerpt from logs\default\filebeat-YYYYMMDD.ndjson (cut after several "Non-zero metrics" events)

{"log.level":"info","@timestamp":"2022-12-02T11:06:20.825+0300","log.origin":{"file.name":"instance/beat.go","file.line":687},"message":"Beat ID: 7261cf2d-8b9a-468a-bc2b-a4769301bf5c","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:20.855+0300","log.origin":{"file.name":"instance/beat.go","file.line":704},"message":"Set gc percentage to: 100","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:23.870+0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":80},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1050},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","data":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1","home":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","logs":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64\\logs"},"type":"filebeat","uuid":"7261cf2d-8b9a-468a-bc2b-a4769301bf5c"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1059},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"6e9dd49b5da9c045125078bb95be9f0dc27e8263","libbeat":"8.0.1","time":"2022-02-24T15:08:16.000Z","version":"8.0.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":2,"version":"go1.17.6"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.876+0300","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\default-filebeat (configured: npipe:///default-filebeat)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-12-02T11:05:35.34+03:00","name":"WIN-R2IUKDM41QB","ip":["fe80::b479:4575:7581:4d60/64","10.10.154.167/23","fe80::3898:3669:34fa:2709/64","169.254.39.9/16","::1/128","127.0.0.1/8","fe80::5efe:a0a:9aa7/128"],"kernel_version":"10.0.14393.4886 (rs1_release.220104-1735)","mac":["00:50:56:a6:57:37","54:76:b6:04:52:03","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.4886"},"timezone":"MSK","timezone_offset_sec":10800,"id":"21566385-410d-4a3a-af3a-3b36bfcc7784"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","exe":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64\\filebeat.exe","name":"filebeat.exe","pid":4756,"ppid":2148,"start_time":"2022-12-02T11:06:18.890+0300"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: filebeat; Version: 8.0.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.901+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: http://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.901+0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: WIN-R2IUKDM41QB","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.090+0300","log.origin":{"file.name":"fileset/modules.go","file.line":103},"message":"Enabled modules/filesets:  ()","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.092+0300","log.origin":{"file.name":"instance/beat.go","file.line":498},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.092+0300","log.logger":"cfgwarn","log.origin":{"file.name":"management/manager.go","file.line":108},"message":"BETA: Fleet management is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.092+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":109},"message":"Starting fleet management service","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.093+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.094+0300","log.origin":{"file.name":"service/service_windows.go","file.line":126},"message":"Attempted to register Windows service handlers, but this is not a service. No action necessary","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.420+0300","log.origin":{"file.name":"memlog/store.go","file.line":119},"message":"Loading data file of 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1\\registry\\filebeat' succeeded. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.origin":{"file.name":"memlog/store.go","file.line":124},"message":"Finished loading transaction log file for 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1\\registry\\filebeat'. Active transaction id=183","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.478+0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":108},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.478+0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.481+0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.927+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":150},"message":"Status change to Configuring: Updating configuration","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.929+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":89},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\auth.log* C:\\var\\log\\secure*]","service.name":"filebeat","input_id":"3c294eb0-2ef5-4adf-a91e-e0bbdab3d7bd","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\messages* C:\\var\\log\\syslog*]","service.name":"filebeat","input_id":"677bf743-2a93-41d2-9662-f517fcfd8a27","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for output","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: https://elasticsearch.local:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.modules","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:26.875+0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":101},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.875+0300","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(elasticsearch(https://elasticsearch.local:9200))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.889+0300","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":163},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.889+0300","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":174},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.891+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":284},"message":"Attempting to connect to Elasticsearch version 8.5.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.894+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":284},"message":"Attempting to connect to Elasticsearch version 8.5.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.896+0300","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(elasticsearch(https://elasticsearch.local:9200)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:54.094+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":468,"time":{"ms":468}},"total":{"ticks":1327,"time":{"ms":1327},"value":1327},"user":{"ticks":859,"time":{"ms":859}}},"handles":{"open":223},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":33422},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":18391920,"memory_sys":49668120,"memory_total":118166944,"rss":74813440},"runtime":{"goroutines":66}},"filebeat":{"events":{"added":1150,"done":1150},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0,"starts":5},"reloads":1,"scans":1},"output":{"events":{"acked":1150,"active":0,"batches":12,"total":1150},"read":{"bytes":268389},"type":"elasticsearch","write":{"bytes":2987617}},"pipeline":{"clients":5,"events":{"active":0,"published":1150,"retry":692,"total":1150},"queue":{"acked":1150,"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:07:24.101+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":546,"time":{"ms":78}},"total":{"ticks":1421,"time":{"ms":94},"value":1421},"user":{"ticks":875,"time":{"ms":16}}},"handles":{"open":223},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":63428},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":20888936,"memory_total":120663960,"rss":75309056},"runtime":{"goroutines":66}},"filebeat":{"events":{"added":13,"done":13},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":13,"active":0,"batches":3,"total":13},"read":{"bytes":3459},"write":{"bytes":35817}},"pipeline":{"clients":5,"events":{"active":0,"published":13,"total":13},"queue":{"acked":13}}},"registrar":{"states":{"current":0}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:07:54.095+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":765,"time":{"ms":219}},"total":{"ticks":1733,"time":{"ms":312},"value":1733},"user":{"ticks":968,"time":{"ms":93}}},"handles":{"open":225},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":93422},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":28348792,"memory_sys":262144,"memory_total":128123816,"rss":75829248},"runtime":{"goroutines":66}},"filebeat":{"events":{"active":3,"added":64,"done":61},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":61,"active":0,"batches":14,"total":61},"read":{"bytes":16228},"write":{"bytes":201409}},"pipeline":{"clients":5,"events":{"active":3,"published":64,"total":64},"queue":{"acked":61}}},"registrar":{"states":{"current":0}}},"ecs.version":"1.6.0"}}

username11 · December 16, 2022, 7:32am

As it turned out, the logs were actually being collected - it's just that the agent logs (not the winlog logs themselves) did not show up in Kibana. This seems to have been caused by the log viewer trying to open a nonexistent data view - I deleted it and it seems to have fixed the problem.

system · January 13, 2023, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Agent Custom Windows Event Logs Beats winlogbeat	5	3142	June 15, 2022
Logs not being harvested after agent restart Beats filebeat , elastic-agent	10	1577	March 1, 2022
Elastic agent does not send logs Elastic Security fleet	8	2229	September 28, 2021
Agents are running properly but no data in Data Stream Beats fleet	17	2737	February 23, 2021
Migrating Winlogbeat to Elastic Agent (WEF/WEC) Elastic Agent winlogbeat	0	41	August 21, 2024

Elastic Agent System integration not collecting Windows Event Log

Related Topics