Unable to filter more than 22 eventIDs

Alreanaes · April 25, 2016, 10:49pm

The relevant output from -e -d "*"

DBG  WinEventLog[ForwardedEvents] using subscription query=<QueryList>
  <Query Id="0">
    <Select Path="ForwardedEvents">*[System[(EventID=1 or EventID=2 or EventID=3 or EventID=4 or EventID=5 or EventID=6 or EventID=7 or EventID=8 or EventID=9 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=15 or EventID=16 or EventID=17 or EventID=18 or EventID=19 or EventID=20 or EventID=21 or EventID=22 or EventID=23 or EventID=24)]]</Select>
  </Query>
</QueryList>
WARN EventLog[ForwardedEvents] Open() error. No events will be read from this source. The specified query is invalid.

According to KB970453 , more than 22 event sources need to be split into seperate queries.

I have successfully tested the following query in event viewer where the above fails

<QueryList>
  <Query Id="0" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=1 or EventID=2 or EventID=3 or EventID=4 or EventID=5 or EventID=6 or EventID=7 or EventID=8 or EventID=9 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=15 or EventID=16 or EventID=17 or EventID=18 or EventID=19 or EventID=20 or EventID=21 or EventID=22 or EventID=23)]]</Select>
  </Query>
  <Query Id="1" Path="ForwardedEvents">
    <Select Path="ForwardedEvents">*[System[(EventID=24)]]</Select>
</QueryList>

andrewkroh · April 25, 2016, 11:44pm

Thanks for reporting this. If only Microsoft had it in there documentation we would have accounted for it. Can you please open a issue in the elastic/beats repo for this problem? And what OS were you trying this on?

For starters we can document the current limitation in our reference docs. And longer term I want to add support for more advanced queries and also raw XML queries which should make it possible to work around the limit.

Alreanaes · April 27, 2016, 12:53pm

I encountered this error on 2008R2 and have also demonstrated it on 2012R2.

Advanced queries and raw XML would be great. In the meantime I've come up with an, admittedly hacky, workaround to show off a working POC of winlogbeat.

- name: ForwardedEvents
  event_id: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23
- name: ForwardedEvents
  event_id: 24

system · May 18, 2016, 12:53pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.