Log warning about missing Windows Events

Tadas · April 29, 2022, 12:20pm

Hi!

There is no good way to detect situations where Winlogbeat is starting up and unable to continue ingesting events from the last bookmarked position (i.e. event log has rolled forward and some events have been lost).

Had this happen with Security events. Eventlog size wasn't sufficient, Winlogbeat was down and tons of security events were logged to the point where the log rolled over.

I think it would be useful if Winlogbeat had a warning in this case, so it's easy to detect and remediate. Currently it outputs a debug message, but enabling (and ingesting) debug level logs feels overkill, a warning would be more appropriate.

github.com

elastic/beats/blob/d1e442243644e9aa25f5b71159e09be84800e994/winlogbeat/eventlog/wineventlog.go#L234

      
        
            		0, // Session - nil for localhost
            		signalEvent,
            		"",       // Channel - empty b/c channel is in the query
            		l.query,  // Query - nil means all events
            		bookmark, // Bookmark - for resuming from a specific event
            		flags)
            
            
	switch {
            	case errors.Is(err, win.ERROR_NOT_FOUND), errors.Is(err, win.ERROR_EVT_QUERY_RESULT_STALE),
            		errors.Is(err, win.ERROR_EVT_QUERY_RESULT_INVALID_POSITION):
            		debugf("%s error subscribing (first chance): %v", l.logPrefix, err)
            		// The bookmarked event was not found, we retry the subscription from the start.
            		incrementMetric(readErrors, err)
            		subscriptionHandle, err = win.Subscribe(0, signalEvent, "", l.query, 0, win.EvtSubscribeStartAtOldestRecord)
            	}
            
            
	if err != nil {
            		debugf("%s error subscribing (final): %v", l.logPrefix, err)
            		return err
            	}

system · May 27, 2022, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.