I apologise for not having a more appropriate title.
I hope the members of the community are safe and healthy.
I have a host where Winlogbeat is not sending any logs.
The host has extensive ongoing application, system, and even security logging, given the enabled advanced auditing.
Here is the snippet of the Winlogbeat specific settings
# ======================== Winlogbeat specific options =========================
# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name, id, xml_query, tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml.
# The xml_query key requires an id and must not be used with the name,
# ignore_older, level, event_id, or provider keys. Please visit the
# documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
# - name: Kaspersky Event Log
# - name: PowerShellCore/Operational
# - name: Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
# - name: Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
# - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
# - name: Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
# - name: Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
# - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
# - name: Microsoft-Windows-Policy/Operational
Both winlogbeat test config
and test output
are successful.
Winlogbeat service
is set to start automatically
When I run .\winlogbeat.exe -e
I get the following set of logs
{"log.level":"info","@timestamp":"2024-04-22T23:46:02.598+0530","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":811},"message":"Home path: [C:\\Program Files\\Winlogbeat] Config path: [C:\\Program Files\\Winlogbeat] Data path: [C:\\Program Files\\Winlogbeat\\data] Logs path: [C:\\Program Files\\Winlogbeat\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-22T23:46:02.599+0530","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":819},"message":"Beat ID: 50df4e00-207f-43fa-8e73-073eaace82cd","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-22T23:46:02.923+0530","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1365},"message":"Beat info","service.name":"winlogbeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Winlogbeat","data":"C:\\Program Files\\Winlogbeat\\data","home":"C:\\Program Files\\Winlogbeat","logs":"C:\\Program Files\\Winlogbeat\\logs"},"type":"winlogbeat","uuid":"50df4e00-207f-43fa-8e73-073eaace82cd"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-04-22T23:46:02.923+0530","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1374},"message":"Build info","service.name":"winlogbeat","system_info":{"build":{"commit":"d41b4978ea7b4d7c6020b47ffd8a3b8642531fe3","libbeat":"8.13.2","time":"2024-04-02T09:57:14.000Z","version":"8.13.2"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-04-22T23:46:02.923+0530","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1377},"message":"Go runtime info","service.name":"winlogbeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":8,"version":"go1.21.8"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-04-22T23:46:03.044+0530","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":334},"message":"Setup Beat: winlogbeat; Version: 8.13.2","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-04-22T23:46:03.269+0530","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: inmum-i-mwp01","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2024-04-22T23:46:06.069+0530","log.origin":{"function":"github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Read","file.name":"eventlog/wineventlog.go","file.line":477},"message":"WinEventLog[Application] error salvaging message (event id=1 qualifier=0 provider=\"Universal Print\" created at 2024-04-19 18:59:43.8401055 +0000 UTC will be included without a message): failed in EvtFormatMessage: The locale specific resource for the desired message is not present.","service.name":"winlogbeat","ecs.version":"1.6.0"}
and
{"log.level":"info","@timestamp":"2024-04-22T23:56:33.287+0530","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"winlogbeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":593},"total":{"ticks":2780,"time":{"ms":16},"value":2780},"user":{"ticks":2187,"time":{"ms":16}}},"info":{"ephemeral_id":"70dbc80e-ff92-4fe2-abc8-d29528968b70","uptime":{"ms":630713},"version":"8.13.2"},"memstats":{"gc_next":74643992,"memory_alloc":37006152,"memory_total":525726760,"rss":101163008},"runtime":{"goroutines":38}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":7,"events":{"active":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-04-22T23:57:03.288+0530","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"winlogbeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":593},"total":{"ticks":2780,"value":2780},"user":{"ticks":2187}},"info":{"ephemeral_id":"70dbc80e-ff92-4fe2-abc8-d29528968b70","uptime":{"ms":660714},"version":"8.13.2"},"memstats":{"gc_next":74643992,"memory_alloc":37256088,"memory_total":525976696,"rss":101163008},"runtime":{"goroutines":38}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":7,"events":{"active":0}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2024-04-22T23:57:33.286+0530","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot","file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"winlogbeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":593},"total":{"ticks":2780,"value":2780},"user":{"ticks":2187}},"info":{"ephemeral_id":"70dbc80e-ff92-4fe2-abc8-d29528968b70","uptime":{"ms":690712},"version":"8.13.2"},"memstats":{"gc_next":74643992,"memory_alloc":37500328,"memory_total":526220936,"rss":101163008},"runtime":{"goroutines":38}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"write":{"latency":{"histogram":{"count":0,"max":0,"mean":0,"median":0,"min":0,"p75":0,"p95":0,"p99":0,"p999":0,"stddev":0}}}},"pipeline":{"clients":7,"events":{"active":0}}},"system":{"handles":{"open":-2}}},"ecs.version":"1.6.0"}}
Output is distributed between two logstash hosts running mirror configuration
to ingest beats logs. I can get logs using the same pipelines from different hosts
.
I generated security events while running stderr
, but nothing was captured on the PowerShell output.
What could be the next diagnostic step?