Elastic agent Windows integration issue

f4n-1nh1b1t10n · August 5, 2025, 8:28pm

Hello,

first post here.
Short description of the current environment:

kibana and elasticsearch on 1 host (virtualized in a vbox)
standalone elastic agent on another host (a windows laptop) with Windows (v3.1.0) & system (v2.5.2) integration
the stack and the agent are all running version 8.19.0
the laptop runs the agent and sysmon as a service

I've defined an agent policy in kibana. Added the integration for windows and system. Used the config YML it produces for the elastic agent.

The system metrics integration seems to work OK.
I'm having trouble however with the Windows modules:

Input 'winlog' failed with: input winlog-windows.sysmon_operational-18936846-6fdf-4c10-b3e8-e2cb8b32ed367 failed: input **panic** with: name winlog-windows_sysmon_operational-18936846-6fdf-4c10-b3e8-e2cb8b32ed367 already used
goroutine 121 [running]:
runtime/debug.Stack()
	runtime/debug/stack.go:26 +0x5e
github.com/elastic/beats/v7/filebeat/input/v2/input-cursor.(*managedInput).runSource.func1()
	github.com/elastic/beats/v7/filebeat/input/v2/input-cursor/input.go:172 +0x58
panic({0x84afae0?, 0xc0031d39a0?})
	runtime/panic.go:792 +0x132
github.com/elastic/elastic-agent-libs/monitoring.panicErr(...)
	github.com/elastic/elastic-agent-libs@v0.20.0/monitoring/registry.go:287
github.com/elastic/elastic-agent-libs/monitoring.(*Registry).Add(0xc0023f1340, {0xc0019dacd0?, 0xc0031da9c0?}, {0xa5afaa0, 0xc0031cee00}, 0x0?)
	github.com/elastic/elastic-agent-libs@v0.20.0/monitoring/registry.go:185 +0xca
github.com/elastic/elastic-agent-libs/monitoring.(*Registry).NewRegistry(0xc0023f1340, {0xc0019dacd0, 0x47}, {0x0?, 0xa587628?, 0x1?})
	github.com/elastic/elastic-agent-libs@v0.20.0/monitoring/registry.go:94 +0x155
github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewInputRegistry({0x96e8106, 0x6}, {0xc0000b02d0, 0x47}, 0x0)
	github.com/elastic/beats/v7/libbeat/monitoring/inputmon/input.go:73 +0x36f
github.com/elastic/beats/v7/winlogbeat/eventlog.newInputMetrics({0xc002132a80, 0x24}, {0xc0000b02d0?, 0xc0031a5420?})
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:688 +0x56
github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Open(0xc0001076c0, {{0x0, 0x0}, 0x0, {0x0, 0x0, 0x0}, {0x0, 0x0}})
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:334 +0x9f
github.com/elastic/beats/v7/winlogbeat/eventlog.Run({0xa5bb280, 0xc0031a6dc0}, {0xa652bc8, 0xc0026218b0}, {0xa6712d0, 0xc0001076c0}, {{0x0, 0x0}, 0x0, {0x0, ...}, ...}, ...)
	github.com/elastic/beats/v7/winlogbeat/eventlog/runner.go:80 +0x331
github.com/elastic/beats/v7/filebeat/input/winlog.winlogInput.Run({}, {0xc0031abec0, {0xc001d341b0, 0x90}, {0xc0000b02d0, 0x47}, {0x96e8106, 0x6}, {{0x96f117b, 0x8}, ...}, ...}, ...)
	github.com/elastic/beats/v7/filebeat/input/winlog/input.go:103 +0x3ff
github.com/elastic/beats/v7/filebeat/input/v2/input-cursor.(*managedInput).runSource(_, {0xc0031abec0, {0xc001d341b0, 0x90}, {0xc0000b02d0, 0x47}, {0x96e8106, 0x6}, {{0x96f117b, 0x8}, ...}, ...}, ...)
	github.com/elastic/beats/v7/filebeat/input/v2/input-cursor/input.go:196 +0x483
github.com/elastic/beats/v7/filebeat/input/v2/input-cursor.(*managedInput).Run.func1()
	github.com/elastic/beats/v7/filebeat/input/v2/input-cursor/input.go:151 +0x2f2
github.com/elastic/go-concert/unison.(*MultiErrGroup).Go.func1()
	github.com/elastic/go-concert@v0.3.0/unison/multierrgroup.go:42 +0x66
created by github.com/elastic/go-concert/unison.(*MultiErrGroup).Go in goroutine 342
	github.com/elastic/go-concert@v0.3.0/unison/multierrgroup.go:40 +0x76

The same error is produced for all Windows modules that were enabled.
there is only 1 instance of the agent running.
I've looked at Winlogbeat Fatal Error 8.7.0+ name already used - Elastic Stack / Beats - Discuss the Elastic Stack and ids from the generated yml all seem to be different.

Can someone help me?
Thanks a lot.

EDIT:

Some extra information.

Seems like the handle is not closing.

EDIT 2:

Thinking it's a unique-id-config issue, i uninstalled the agent.
installed winlogbeat, and a similar panic error prevented me from starting it.
But, this issue was already discussed in Winlogbeat Fatal Error 8.7.0+ name already used - Elastic Stack / Beats - Discuss the Elastic Stack.

In the winlogbeat yaml, you can in a clean way add a unique id to each event log you want to ingest, like so:

  - name: Microsoft-Windows-Sysmon/Operational
    id: sysmon-logs

So, given i'm not using the advantages of fleet, i'm inclined to switch over to winlogbeat, even though the agent can still be used for metrics and other event types (currently not concerned with the overhead that 2 separate beats produce).

NickFritts · August 11, 2025, 10:03am

FYI, I think you’re seeing the bug that this PR addresses: Fix panic in winlog input by faec · Pull Request #45730 · elastic/beats · GitHub

f4n-1nh1b1t10n · August 11, 2025, 4:07pm

Hallo,

thank you I am aware it was due to a bug.

Kr

Topic		Replies	Views
Errors with filebeat when trying to integrate any windows integration logs with the agent Elastic Agent filebeat	26	166	August 7, 2025
Elastic Agent System integration not collecting Windows Event Log Beats docker , fleet	2	3431	January 13, 2023
Do not recieve sysmon log from the Windows Integration in elastic agent Endpoint Security	8	2523	December 6, 2021
Elastic agent packet beat integration crash windows Elastic Agent packetbeat	1	586	March 9, 2023
Standalone Elastic Agent Winlog System Input Elastic Agent filebeat	11	59	September 7, 2025

Elastic agent Windows integration issue

Related topics