Hi. I am testing Elastic Agent (v8.0.1) + Fleet (v.8.5.2), and I'm currently having a problem with collecting Windows Event Log on a test machine. I have set up the agent and it does connect to Fleet and Elasticsearch, and it seems to be collecting metrics just fine - however, Windows Event Logs do not appear in agent dashboard, and, in fact, don't seem to be collected at all.
My understanding is that Windows Event Log collection is supposed to be working out of the box with System integration without any additional configuration (I've confirmed that the checkmarks to collect these logs are set in the policy) - in fact, trying to add a Windows integration shows a tip that the default logs were moved to the System integration. I do not see any errors in agent, Filebeat, Fleet or Elasticsearch logs (see below) that could be related.
From what I can see in the policy, Windows log collection is set up in Filebeat (it seems to have corresponding inputs in the configuraion), but I could not find anything related to Windows log collection in Filebeat documentation (as far as I know, Winlogbeat is recommended for this log type), and its own configuration (in data\elastic-agent-*\install\filebeat-*) does not seem to have anything related to Windows:
-
filebeat.yml only has
/var/log/*.loginfilebeat.inputs[].paths. -
All modules in modules.d/ are marked as
.disabled.
Does anyone know how else I can troubleshoot this?
Log and configuration dump follows.
Agent policy:
PS C:\Program Files\Elastic\Agent\data\elastic-agent-6e9dd4> .\elastic-agent.exe inspect
agent:
download:
source_uri: https://fleet001.local/downloads/
monitoring:
enabled: true
logs: true
metrics: true
namespace: default
use_output: default
fleet:
hosts:
- https://fleet001.local:8220
- https://fleet002.local:8220
id: 3d7189c0-7165-11ed-8ad5-05f1cd72147f
inputs:
- data_stream:
namespace: default
id: logfile-system-9fe3cf65-fae1-488a-a206-e404586865bf
meta:
package:
name: system
version: 1.20.4
name: system-1 (copy)
package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
revision: 1
streams:
- data_stream:
dataset: system.auth
type: logs
exclude_files:
- .gz$
id: logfile-system.auth-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
multiline:
match: after
pattern: ^\s
paths:
- /var/log/auth.log*
- /var/log/secure*
processors:
- add_locale: null
tags:
- system-auth
- data_stream:
dataset: system.syslog
type: logs
exclude_files:
- .gz$
id: logfile-system.syslog-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
multiline:
match: after
pattern: ^\s
paths:
- /var/log/messages*
- /var/log/syslog*
processors:
- add_locale: null
type: logfile
use_output: default
- data_stream:
namespace: default
id: winlog-system-9fe3cf65-fae1-488a-a206-e404586865bf
meta:
package:
name: system
version: 1.20.4
name: system-1 (copy)
package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
revision: 1
streams:
- condition: ${host.platform} == 'windows'
data_stream:
dataset: system.application
type: logs
id: winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
name: Application
- condition: ${host.platform} == 'windows'
data_stream:
dataset: system.security
type: logs
id: winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
name: Security
- condition: ${host.platform} == 'windows'
data_stream:
dataset: system.system
type: logs
id: winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
name: System
type: winlog
use_output: default
- data_stream:
namespace: default
id: system/metrics-system-9fe3cf65-fae1-488a-a206-e404586865bf
## SKIPPED ##
type: system/metrics
use_output: default
output_permissions:
default:
_elastic_agent_checks:
cluster:
- monitor
_elastic_agent_monitoring:
indices:
- names:
- logs-elastic_agent.apm_server-default
privileges:
- auto_configure
- create_doc
## SKIPPED ##
privileges:
- auto_configure
- create_doc
9fe3cf65-fae1-488a-a206-e404586865bf:
indices:
- names:
- logs-system.auth-default
privileges:
- auto_configure
- create_doc
## SKIPPED ##
- names:
- metrics-system.uptime-default
privileges:
- auto_configure
- create_doc
outputs:
default:
api_key: ##REDACTED##
hosts:
- https://elasticsearch.local:9200
ssl:
ca_trusted_fingerprint: ##REDACTED##
type: elasticsearch
revision: 8
Output settings:
PS C:\Program Files\Elastic\Agent\data\elastic-agent-6e9dd4> .\elastic-agent.exe inspect output --output default
[default] filebeat:
filebeat:
inputs:
##SKIPPED (Unix logs)##
- id: winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
index: logs-system.application-default
meta:
package:
name: system
version: 1.20.4
name: Application
package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
processors:
- add_fields:
fields:
dataset: system.application
namespace: default
type: logs
target: data_stream
- add_fields:
fields:
dataset: system.application
target: event
- add_fields:
fields:
id: 536071d7-42dd-487d-a5c5-2db42ffd4937
snapshot: false
version: 8.0.1
target: elastic_agent
- add_fields:
fields:
id: 536071d7-42dd-487d-a5c5-2db42ffd4937
target: agent
revision: 1
type: winlog
- id: winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
index: logs-system.security-default
meta:
package:
name: system
version: 1.20.4
name: Security
package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
processors:
- add_fields:
##SKIPPED##
revision: 1
type: winlog
- id: winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf
ignore_older: 72h
index: logs-system.system-default
meta:
package:
name: system
version: 1.20.4
name: System
package_policy_id: 9fe3cf65-fae1-488a-a206-e404586865bf
processors:
- add_fields:
##SKIPPED##
revision: 1
type: winlog
output:
elasticsearch:
api_key: ##REDACTED##
hosts:
- https://elasticsearch.local:9200
ssl:
ca_trusted_fingerprint: ##REDACTED##
---
[default] metricbeat:
metricbeat:
##SKIPPED##
output:
elasticsearch:
api_key: ##REDACTED##
hosts:
- https://elasticsearch.local:9200
ssl:
ca_trusted_fingerprint: ##REDACTED##
---
[default] FLEET_MONITORING:
agent:
monitoring:
enabled: true
logs: true
metrics: true
namespace: default
use_output: default
monitoring_checksum: 4e9c99f9103a48e71155b7da1fbf5557
output:
elasticsearch:
api_key: ##REDACTED##
hosts:
- https://elasticsearch.local:9200
ssl:
ca_trusted_fingerprint: ##REDACTED##
type: elasticsearch
programs:
- filebeat
- metricbeat
Excerpt from logs\elastic-agent-YYYYMMDD-*.ndjson:
{"log.level":"info","@timestamp":"2022-12-02T08:06:07.232Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detecting execution mode","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:07.235Z","log.origin":{"file.name":"application/application.go","file.line":92},"message":"Agent is managed by Fleet","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:07.235Z","log.origin":{"file.name":"capabilities/capabilities.go","file.line":59},"message":"capabilities file not found in C:\\Program Files\\Elastic\\Agent\\capabilities.yml","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.834Z","log.logger":"composable.providers.docker","log.origin":{"file.name":"docker/docker.go","file.line":43},"message":"Docker provider skipped, unable to connect: protocol not available","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.865Z","log.origin":{"file.name":"store/state_store.go","file.line":327},"message":"restoring current policy from disk","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.890Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is 9yqws3b-","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:08.890Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:12.572Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:13.127Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:13+03:00 - message: Application: metricbeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:18.445Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:18.626Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:18+03:00 - message: Application: filebeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.439Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.622Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:20+03:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:20.803Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.259Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.265Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:21+03:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.277Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is mVn-ZDJn","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.277Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.413Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.413Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.544Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.544Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.872Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.872Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.989Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.989Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:21.991Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.origin":{"file.name":"application/managed_mode.go","file.line":290},"message":"Agent is starting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:22.413Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\elastic-agent (configured: npipe:///elastic-agent)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:24.385Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:24+03:00 - message: Application: metricbeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:25.428Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:25+03:00 - message: Application: filebeat--8.0.1[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:27.359Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:27+03:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T08:06:29.819Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-12-02T11:06:29+03:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[536071d7-42dd-487d-a5c5-2db42ffd4937]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
Excerpt from logs\default\filebeat-YYYYMMDD.ndjson (cut after several "Non-zero metrics" events)
{"log.level":"info","@timestamp":"2022-12-02T11:06:20.825+0300","log.origin":{"file.name":"instance/beat.go","file.line":687},"message":"Beat ID: 7261cf2d-8b9a-468a-bc2b-a4769301bf5c","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:20.855+0300","log.origin":{"file.name":"instance/beat.go","file.line":704},"message":"Set gc percentage to: 100","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:23.870+0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":80},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1050},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","data":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1","home":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","logs":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64\\logs"},"type":"filebeat","uuid":"7261cf2d-8b9a-468a-bc2b-a4769301bf5c"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1059},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"6e9dd49b5da9c045125078bb95be9f0dc27e8263","libbeat":"8.0.1","time":"2022-02-24T15:08:16.000Z","version":"8.0.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.875+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":2,"version":"go1.17.6"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.876+0300","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\default-filebeat (configured: npipe:///default-filebeat)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-12-02T11:05:35.34+03:00","name":"WIN-R2IUKDM41QB","ip":["fe80::b479:4575:7581:4d60/64","10.10.154.167/23","fe80::3898:3669:34fa:2709/64","169.254.39.9/16","::1/128","127.0.0.1/8","fe80::5efe:a0a:9aa7/128"],"kernel_version":"10.0.14393.4886 (rs1_release.220104-1735)","mac":["00:50:56:a6:57:37","54:76:b6:04:52:03","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2016 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"14393.4886"},"timezone":"MSK","timezone_offset_sec":10800,"id":"21566385-410d-4a3a-af3a-3b36bfcc7784"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64","exe":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\install\\filebeat-8.0.1-windows-x86_64\\filebeat.exe","name":"filebeat.exe","pid":4756,"ppid":2148,"start_time":"2022-12-02T11:06:18.890+0300"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.883+0300","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: filebeat; Version: 8.0.1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.901+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: http://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:23.901+0300","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: WIN-R2IUKDM41QB","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.090+0300","log.origin":{"file.name":"fileset/modules.go","file.line":103},"message":"Enabled modules/filesets: ()","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.092+0300","log.origin":{"file.name":"instance/beat.go","file.line":498},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.092+0300","log.logger":"cfgwarn","log.origin":{"file.name":"management/manager.go","file.line":108},"message":"BETA: Fleet management is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.092+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":109},"message":"Starting fleet management service","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.093+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.094+0300","log.origin":{"file.name":"service/service_windows.go","file.line":126},"message":"Attempted to register Windows service handlers, but this is not a service. No action necessary","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.420+0300","log.origin":{"file.name":"memlog/store.go","file.line":119},"message":"Loading data file of 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1\\registry\\filebeat' succeeded. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.origin":{"file.name":"memlog/store.go","file.line":124},"message":"Finished loading transaction log file for 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-6e9dd4\\run\\default\\filebeat--8.0.1\\registry\\filebeat'. Active transaction id=183","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.422+0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.478+0300","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":108},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.478+0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.481+0300","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.927+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":150},"message":"Status change to Configuring: Updating configuration","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.929+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.system-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.930+0300","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":89},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\auth.log* C:\\var\\log\\secure*]","service.name":"filebeat","input_id":"3c294eb0-2ef5-4adf-a91e-e0bbdab3d7bd","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\messages* C:\\var\\log\\syslog*]","service.name":"filebeat","input_id":"677bf743-2a93-41d2-9662-f517fcfd8a27","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.931+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for output","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: https://elasticsearch.local:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.application-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.security-9fe3cf65-fae1-488a-a206-e404586865bf","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:24.932+0300","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.modules","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:26.875+0300","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":101},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.875+0300","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(elasticsearch(https://elasticsearch.local:9200))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.889+0300","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":163},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.889+0300","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":174},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.891+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":284},"message":"Attempting to connect to Elasticsearch version 8.5.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.894+0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":284},"message":"Attempting to connect to Elasticsearch version 8.5.2","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:27.896+0300","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":147},"message":"Connection to backoff(elasticsearch(https://elasticsearch.local:9200)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-12-02T11:06:54.094+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":468,"time":{"ms":468}},"total":{"ticks":1327,"time":{"ms":1327},"value":1327},"user":{"ticks":859,"time":{"ms":859}}},"handles":{"open":223},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":33422},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":18391920,"memory_sys":49668120,"memory_total":118166944,"rss":74813440},"runtime":{"goroutines":66}},"filebeat":{"events":{"added":1150,"done":1150},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0,"starts":5},"reloads":1,"scans":1},"output":{"events":{"acked":1150,"active":0,"batches":12,"total":1150},"read":{"bytes":268389},"type":"elasticsearch","write":{"bytes":2987617}},"pipeline":{"clients":5,"events":{"active":0,"published":1150,"retry":692,"total":1150},"queue":{"acked":1150,"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:07:24.101+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":546,"time":{"ms":78}},"total":{"ticks":1421,"time":{"ms":94},"value":1421},"user":{"ticks":875,"time":{"ms":16}}},"handles":{"open":223},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":63428},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":20888936,"memory_total":120663960,"rss":75309056},"runtime":{"goroutines":66}},"filebeat":{"events":{"added":13,"done":13},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":13,"active":0,"batches":3,"total":13},"read":{"bytes":3459},"write":{"bytes":35817}},"pipeline":{"clients":5,"events":{"active":0,"published":13,"total":13},"queue":{"acked":13}}},"registrar":{"states":{"current":0}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-12-02T11:07:54.095+0300","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":765,"time":{"ms":219}},"total":{"ticks":1733,"time":{"ms":312},"value":1733},"user":{"ticks":968,"time":{"ms":93}}},"handles":{"open":225},"info":{"ephemeral_id":"43b840e0-d3b4-467f-9dfc-850f6ac9bf02","uptime":{"ms":93422},"version":"8.0.1"},"memstats":{"gc_next":32371024,"memory_alloc":28348792,"memory_sys":262144,"memory_total":128123816,"rss":75829248},"runtime":{"goroutines":66}},"filebeat":{"events":{"active":3,"added":64,"done":61},"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":61,"active":0,"batches":14,"total":61},"read":{"bytes":16228},"write":{"bytes":201409}},"pipeline":{"clients":5,"events":{"active":3,"published":64,"total":64},"queue":{"acked":61}}},"registrar":{"states":{"current":0}}},"ecs.version":"1.6.0"}}