hi,
We upgraded ELK clusters to v7.16.1 on 2021/12/21. (winlogbeat v7.4.2)
Everything is fine.
And our AD servers updated patch 'KB5008218' on 2021/21/27.
Winlogbeat transferred incomplete data to logstash!
Our windows server generate 10,000,000 records but winlogbeat sent 5,000 records only.
We have upgraded winlogbeat to 7.16.1 but it still not working.
winlogbeat yml:
winlogbeat.event_logs:
- name: Security
event_id: 4624-6280
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: System
level: critical, error, warning
output.logstash:
hosts: ["Logstash:5045"]
setup.kibana:
host: "Kibana:5601"
winlogbeat log:
2022-01-06T10:15:55.457+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":437,"time":{"ms":437}},"total":{"ticks":3296,"time":{"ms":3296},"value":3296},"user":{"ticks":2859,"time":{"ms":2859}}},"handles":{"open":254},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":36131},"version":"7.16.1"},"memstats":{"gc_next":81807504,"memory_alloc":43981472,"memory_sys":85943960,"memory_total":324528656,"rss":111345664},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300,"batches":3,"total":3300},"read":{"bytes":30},"type":"logstash","write":{"bytes":1007152}},"pipeline":{"clients":1,"events":{"active":4117,"published":4116,"retry":1100,"total":4117},"queue":{"max_events":4096}}},"system":{"cpu":{"cores":4}}}}}
2022-01-06T10:16:25.459+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":468,"time":{"ms":31}},"total":{"ticks":3327,"time":{"ms":31},"value":3327},"user":{"ticks":2859}},"handles":{"open":254},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":66132},"version":"7.16.1"},"memstats":{"gc_next":81807504,"memory_alloc":44141112,"memory_total":324688296,"rss":111390720},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
2022-01-06T10:16:55.462+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":531,"time":{"ms":63}},"total":{"ticks":3406,"time":{"ms":79},"value":3406},"user":{"ticks":2875,"time":{"ms":16}}},"handles":{"open":256},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":96134},"version":"7.16.1"},"memstats":{"gc_next":81807504,"memory_alloc":44303328,"memory_total":324850512,"rss":111435776},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
2022-01-06T10:17:25.459+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":593,"time":{"ms":62}},"total":{"ticks":3483,"time":{"ms":77},"value":3483},"user":{"ticks":2890,"time":{"ms":15}}},"handles":{"open":258},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":126132},"version":"7.16.1"},"memstats":{"gc_next":81807504,"memory_alloc":44452752,"memory_total":324999936,"rss":111435776},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
2022-01-06T10:17:55.396+0800 DEBUG [eventlog] eventlog/cache.go:136 messageFilesCache[Security] Evicting messageFiles {SourceName:Microsoft-Windows-Security-Auditing Err:<nil> Handles:[{File: Handle:16777255 Err:<nil>}]} for sourceName Microsoft-Windows-Security-Auditing.
2022-01-06T10:17:55.396+0800 DEBUG [eventlog] eventlog/cache.go:86 messageFilesCache[Security] size=0
2022-01-06T10:17:55.468+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":687,"time":{"ms":94}},"total":{"ticks":3624,"time":{"ms":141},"value":3624},"user":{"ticks":2937,"time":{"ms":47}}},"handles":{"open":258},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":156139},"version":"7.16.1"},"memstats":{"gc_next":81911216,"memory_alloc":40962328,"memory_total":325164808,"rss":100761600},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
2022-01-06T10:18:25.450+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":734,"time":{"ms":47}},"total":{"ticks":3687,"time":{"ms":63},"value":3687},"user":{"ticks":2953,"time":{"ms":16}}},"handles":{"open":258},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":186122},"version":"7.16.1"},"memstats":{"gc_next":81911216,"memory_alloc":41112824,"memory_total":325315304,"rss":98484224},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
2022-01-06T10:18:55.463+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":781,"time":{"ms":47}},"total":{"ticks":3765,"time":{"ms":78},"value":3765},"user":{"ticks":2984,"time":{"ms":31}}},"handles":{"open":256},"info":{"ephemeral_id":"4bf426fc-501f-437c-8e1f-d2c06df67f0d","uptime":{"ms":216134},"version":"7.16.1"},"memstats":{"gc_next":81911216,"memory_alloc":41271256,"memory_total":325473736,"rss":98467840},"runtime":{"goroutines":26}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":3300},"read":{"bytes":36}},"pipeline":{"clients":1,"events":{"active":4117}}}}}}
