Windows Security Log Events Remain Stuck in Queue

cappy · February 5, 2018, 3:13pm

I am collecting Windows Security Event Logs from a Windows machine using Winlogbeat, and that is sending to my box that hosts Logstash fine, but for some reason or another, the Security log events are getting stuck in LS's persistent queue (checked page file in /queue/main).

I am not seeing any errors in the LS or ES log.

Other Windows event logs get read in correctly (Application/System) and I can find them in Kibana without issue. Does anyone have any advice or suggestions to resolve this issue?

Winlogbeat version: 6.1.3
ES/LS version: 6.1.3

Thanks,
Cappy

cappy · February 8, 2018, 12:45pm

The issue here was that a config file in the pipeline was causing the event to match on it, causing the event to never exit the pipeline.

system · March 8, 2018, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.