WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file

I don't know much about windows server system, what does this error mean? How to solve? Thanks for any suggestion.

{"log.level":"info","@timestamp":"2022-10-27T10:31:51.822+0800","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat] Config path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat] Data path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data] Logs path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:51.822+0800","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: c4d75073-3714-44a0-a2dc-bb7a920e7c95","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-10-27T10:31:54.835+0800","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.835+0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1081},"message":"Beat info","service.name":"winlogbeat","system_info":{"beat":{"path":{"config":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat","data":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data","home":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat","logs":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\logs"},"type":"winlogbeat","uuid":"c4d75073-3714-44a0-a2dc-bb7a920e7c95"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.835+0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1090},"message":"Build info","service.name":"winlogbeat","system_info":{"build":{"commit":"c2f2aba479653563dbaabefe0f86f5579708ec94","libbeat":"8.4.3","time":"2022-09-27T15:22:22.000Z","version":"8.4.3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.835+0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1093},"message":"Go runtime info","service.name":"winlogbeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":16,"version":"go1.17.12"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.841+0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1097},"message":"Host info","service.name":"winlogbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-10-12T00:14:19+08:00","name":"WIN-KAF0HM70QDS","ip":["fe80::d921:e2a9:efc2:423f/64","10.11.73.6/27","::1/128","127.0.0.1/8","fe80::5efe:a0b:4906/128"],"kernel_version":"6.3.9600.20173 (winblue_ltsb_escrow.211029-1700)","mac":["fa:16:3e:4b:d7:6b","00:00:00:00:00:00:00:e0"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.20174"},"timezone":"CST","timezone_offset_sec":28800,"id":"b92ef485-c601-4535-989c-a9dc1d0e57cc"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.841+0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1126},"message":"Process info","service.name":"winlogbeat","system_info":{"process":{"cwd":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat","exe":"C:\\ProgramData\\Elastic\\Beats\\\ufffd½\ufffd\ufffdļ\ufffd\ufffd\ufffd\\winlogbeat.exe","name":"winlogbeat.exe","pid":3884,"ppid":4596,"start_time":"2022-10-27T10:31:51.641+0800"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-10-27T10:31:54.841+0800","log.origin":{"file.name":"instance/beat.go","file.line":293},"message":"Setup Beat: winlogbeat; Version: 8.4.3","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.218+0800","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: http://10.11.82.35:9200","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.219+0800","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: WIN-KAF0HM70QDS","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.219+0800","log.logger":"winlogbeat","log.origin":{"file.name":"beater/winlogbeat.go","file.line":69},"message":"State will be read from and persisted to C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data\\.winlogbeat.yml","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.219+0800","log.origin":{"file.name":"instance/beat.go","file.line":470},"message":"winlogbeat start running.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.221+0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":143},"message":"Starting metrics logging every 30s","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-10-27T10:31:56.251+0800","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":141},"message":"Open() error. No events will be read from this source.","service.name":"winlogbeat","id":"Microsoft-Windows-Sysmon/Operational","error":{"message":"The specified channel could not be found. Check channel configuration."},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-10-27T10:31:56.251+0800","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":125},"message":"Stop processing.","service.name":"winlogbeat","id":"Microsoft-Windows-Sysmon/Operational","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-10-27T10:31:56.251+0800","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":128},"message":"Close() error.","service.name":"winlogbeat","id":"Microsoft-Windows-Sysmon/Operational","error":{"message":"The handle is invalid."},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-27T10:31:56.251+0800","log.origin":{"file.name":"eventlog/wineventlog.go","file.line":335},"message":"WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-27T10:31:56.251+0800","log.origin":{"file.name":"eventlog/wineventlog.go","file.line":335},"message":"WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-27T10:31:56.251+0800","log.origin":{"file.name":"eventlog/wineventlog.go","file.line":335},"message":"WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-27T10:31:56.251+0800","log.origin":{"file.name":"eventlog/wineventlog.go","file.line":335},"message":"WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-10-27T10:31:56.251+0800","log.origin":{"file.name":"eventlog/wineventlog.go","file.line":335},"message":"WinEventLog[System] error salvaging message: failed in EvtFormatMessage: The specified resource type cannot be found in the image file.","service.name":"winlogbeat","ecs.version":"1.6.0"}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.