Winlogbeat 8.7.1 service crashes immediately after starting

Mike7 · May 9, 2023, 2:03pm

Hi All,

On a fresh install (Server 2022) the Winlogbeat service crashes immediately after starting (when there are events in the monitored log present) or - when the log is cleared - it crashes after the first event comes in.

This is my winlogbeat.yml:

fields_under_root: true
source: node_name

output.logstash:
  hosts: ["10.11.7.40:5044"]

winlogbeat.event_logs:
  - name: ForwardedEvents

I basically run this on a logserver that collects certain event logs from windows clients and moves them to "Forwarded Events".

For troubleshooting purposes I deleted the "data" and "logs" folder. No difference.
I checked using process monitor if there is any "access denied" but access seems all ok.

Winlogbeat.exe service is started with these parameters:
"C:\Program Files\Elastic\Beats\8.7.1\winlogbeat\winlogbeat.exe" --path.home "C:\Program Files\Elastic\Beats\8.7.1\winlogbeat" --path.config "C:\ProgramData\Elastic\Beats\winlogbeat" --path.data "C:\ProgramData\Elastic\Beats\winlogbeat\data" --path.logs "C:\ProgramData\Elastic\Beats\winlogbeat\logs" -E logging.files.redirect_stderr=true

The logs show this information for a single crash (sorry for spamming you guys whith huge amount of logs but unfortunately I can't read anything useful out of these):

{"log.level":"info","@timestamp":"2023-05-09T15:27:40.583+0200","log.origin":{"file.name":"instance/beat.go","file.line":742},"message":"Home path: [C:\\Program Files\\Elastic\\Beats\\8.7.1\\winlogbeat] Config path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat] Data path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data] Logs path: [C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.588+0200","log.origin":{"file.name":"instance/beat.go","file.line":750},"message":"Beat ID: 2829f97f-2164-4cce-b055-79757a812524","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.602+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1167},"message":"Beat info","service.name":"winlogbeat","system_info":{"beat":{"path":{"config":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat","data":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data","home":"C:\\Program Files\\Elastic\\Beats\\8.7.1\\winlogbeat","logs":"C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\logs"},"type":"winlogbeat","uuid":"2829f97f-2164-4cce-b055-79757a812524"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.602+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1176},"message":"Build info","service.name":"winlogbeat","system_info":{"build":{"commit":"bda40535cf0743b97017512e6af6d661eeef956e","libbeat":"8.7.1","time":"2023-04-23T04:26:37.000Z","version":"8.7.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.602+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1179},"message":"Go runtime info","service.name":"winlogbeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":2,"version":"go1.19.7"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.614+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1185},"message":"Host info","service.name":"winlogbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-02-25T04:06:43+01:00","name":"SRVLOG003","ip":["fe80::9400:395e:4423:d34a","10.11.7.30","::1","127.0.0.1"],"kernel_version":"10.0.20348.1129 (WinBuild.160101.0800)","mac":["00:15:5d:02:15:15"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows Server 2022 Standard","version":"10.0","major":10,"minor":0,"patch":0,"build":"20348.1129"},"timezone":"CEST","timezone_offset_sec":7200,"id":"78be1843-7cc2-4129-92e5-22d701badad3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.614+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1214},"message":"Process info","service.name":"winlogbeat","system_info":{"process":{"cwd":"C:\\Windows\\system32","exe":"C:\\Program Files\\Elastic\\Beats\\8.7.1\\winlogbeat\\winlogbeat.exe","name":"winlogbeat.exe","pid":3608,"ppid":696,"start_time":"2023-05-09T15:27:40.502+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-05-09T15:27:40.614+0200","log.origin":{"file.name":"instance/beat.go","file.line":299},"message":"Setup Beat: winlogbeat; Version: 8.7.1","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:42.996+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: SRVLOG003","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:42.997+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/winlogbeat.go","file.line":70},"message":"State will be read from and persisted to C:\\ProgramData\\Elastic\\Beats\\winlogbeat\\data\\.winlogbeat.yml","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:42.997+0200","log.origin":{"file.name":"instance/beat.go","file.line":491},"message":"winlogbeat start running.","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-05-09T15:27:42.997+0200","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":145},"message":"Starting metrics logging every 30s","service.name":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-05-09T15:27:43.001+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/winlogbeat.go","file.line":150},"message":"Winlogbeat is unable to load the ingest pipelines because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines, you can ignore this warning.","service.name":"winlogbeat","ecs.version":"1.6.0"}
Exception 0xc0000005 0x1 0x0 0x7ff8394ce254
PC=0x7ff8394ce254

runtime.cgocall(0xe5f440, 0xc00007aac0)
	runtime/cgocall.go:158 +0x4a fp=0xc0004f2c78 sp=0xc0004f2c40 pc=0xdf48ea
syscall.SyscallN(0x26?, {0xc0004f2d10?, 0x0?, 0xc000881110?})
	runtime/syscall_windows.go:557 +0x109 fp=0xc0004f2cf0 sp=0xc0004f2c78 pc=0xe5a409
syscall.Syscall9(0xc000881110?, 0x1?, 0x1?, 0xc0004f2db8?, 0x180d72f?, 0xe446c9?, 0x390d660?, 0xc0002c02f8?, 0xc0004f2dd0?, 0x0, ...)
	runtime/syscall_windows.go:507 +0x78 fp=0xc0004f2d68 sp=0xc0004f2cf0 pc=0xe5a118
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog._EvtFormatMessage(0xc00001f2c0?, 0x26?, 0x0, 0x0, 0x0?, 0x1, 0x0, 0x1?, 0x1?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/zsyscall_windows.go:132 +0xe5 fp=0xc0004f2e00 sp=0xc0004f2d68 pc=0x1822205
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.evtFormatMessage(0xc00001f2c0?, 0x26?, 0x0?, {0x0?, 0x0, 0x1?}, 0x1?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:82 +0x9e fp=0xc0004f2ed0 sp=0xc0004f2e00 pc=0x18128be
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageString(0xc00001f2c0?, 0x4000?, 0x4000?, {0x0?, 0xe5a01b?, 0x100f83341a780?})
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:58 +0x45 fp=0xc0004f2f18 sp=0xc0004f2ed0 pc=0x1812765
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageStringFromHandle(...)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:34
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.Message(0x4000?, {0xc00038c000?, 0x41cabc0?, 0xc0002c4380?}, 0xc0004f3010)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/wineventlog_windows.go:274 +0x12c fp=0xc0004f2fe8 sp=0xc0004f2f18 pc=0x182094c
github.com/elastic/beats/v7/winlogbeat/eventlog.newWinEventLog.func5(0xc000454000?)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:292 +0x55 fp=0xc0004f3030 sp=0xc0004f2fe8 pc=0x2581055
github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Read(0xc000454000)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:467 +0x811 fp=0xc0004f36a0 sp=0xc0004f3030 pc=0x2582a71
github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run(0xc0002f4ae0, 0xc00008c540, {0x41e8470?, 0xc0005571e0}, {{0x0, 0x0}, 0x0, {0x0, 0x0, 0x0}, ...}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/eventlogger.go:162 +0xb07 fp=0xc0004f3ed8 sp=0xc0004f36a0 pc=0x25897a7
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).processEventLog(0x0?, 0x0?, 0x0?, {{0x0, 0x0}, 0x0, {0x0, 0x0, 0x0}, {0x0, ...}}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:203 +0xb3 fp=0xc0004f3f70 sp=0xc0004f3ed8 pc=0x258c193
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run.func2()
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:171 +0x55 fp=0xc0004f3fe0 sp=0xc0004f3f70 pc=0x258bf15
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0004f3fe8 sp=0xc0004f3fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:171 +0x37a

goroutine 1 [semacquire]:
runtime.gopark(0x0?, 0xc00029a5b0?, 0x60?, 0xc6?, 0xdfe09f?)
	runtime/proc.go:363 +0xd6 fp=0xc00060d360 sp=0xc00060d340 pc=0xe2dff6
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.semacquire1(0xc00045ac08, 0x80?, 0x1, 0x0)
	runtime/sema.go:150 +0x20f fp=0xc00060d3c8 sp=0xc00060d360 pc=0xe3ec2f
sync.runtime_Semacquire(0xc0001b7880?)
	runtime/sema.go:62 +0x25 fp=0xc00060d3f8 sp=0xc00060d3c8 pc=0xe588e5
sync.(*WaitGroup).Wait(0xc0002f42a0?)
	sync/waitgroup.go:139 +0x52 fp=0xc00060d420 sp=0xc00060d3f8 pc=0xe6c2b2
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run(0xc00035e1b0, 0xc0000e6a80)
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:174 +0x56f fp=0xc00060d5d8 sp=0xc00060d420 pc=0x258bc4f
github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch(0xc0000e6a80, {{0x3b75cfd, 0xa}, {0x3b75cfd, 0xa}, {0x0, 0x0}, 0x1, 0x1, {{0x0, ...}, ...}, ...}, ...)
	github.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:496 +0x9d3 fp=0xc00060dc08 sp=0xc00060d5d8 pc=0x254e1d3
github.com/elastic/beats/v7/libbeat/cmd/instance.Run.func1(0xc0008efd20, 0x8020101?)
	github.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:186 +0x145 fp=0xc00060dd00 sp=0xc00060dc08 pc=0x254c505
github.com/elastic/beats/v7/libbeat/cmd/instance.Run({{0x3b75cfd, 0xa}, {0x3b75cfd, 0xa}, {0x0, 0x0}, 0x1, 0x1, {{0x0, 0x0}, ...}, ...}, ...)
	github.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:187 +0x25 fp=0xc00060dd20 sp=0xc00060dd00 pc=0x254c385
github.com/elastic/beats/v7/libbeat/cmd.genRunCmd.func1(0xc00044b340?, {0x3b68b49?, 0xa?, 0xf?})
	github.com/elastic/beats/v7/libbeat/cmd/run.go:36 +0x58 fp=0xc00060ddd8 sp=0xc00060dd20 pc=0x2566f18
github.com/spf13/cobra.(*Command).execute(0xc00044b340, {0xc0000b8010, 0xa, 0xf})
	github.com/spf13/cobra@v1.3.0/command.go:860 +0x663 fp=0xc00060deb0 sp=0xc00060ddd8 pc=0xfc9563
github.com/spf13/cobra.(*Command).ExecuteC(0xc00044b340)
	github.com/spf13/cobra@v1.3.0/command.go:974 +0x3bd fp=0xc00060df68 sp=0xc00060deb0 pc=0xfc9bfd
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.3.0/command.go:902
main.main()
	github.com/elastic/beats/v7/x-pack/winlogbeat/main.go:14 +0x25 fp=0xc00060df80 sp=0xc00060df68 pc=0x33a56a5
runtime.main()
	runtime/proc.go:250 +0x1fe fp=0xc00060dfe0 sp=0xc00060df80 pc=0xe2dc5e
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc00060dfe8 sp=0xc00060dfe0 pc=0xe5db41

goroutine 17 [select, locked to thread]:
runtime.gopark(0xc0000799d8?, 0x4?, 0x0?, 0x0?, 0xc00007987c?)
	runtime/proc.go:363 +0xd6 fp=0xc0000796c8 sp=0xc0000796a8 pc=0xe2dff6
runtime.selectgo(0xc0000799d8, 0xc000079874, 0x0?, 0x1, 0x0?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc000079808 sp=0xc0000796c8 pc=0xe3db3c
golang.org/x/sys/windows/svc.serviceMain(0x1, 0x1e2208bbe68)
	golang.org/x/sys@v0.6.0/windows/svc/service.go:244 +0x40f fp=0xc000079a30 sp=0xc000079808 pc=0x17ad78f
runtime.call16(0x0, 0x3d71ee0, 0xc000079ab8, 0x0, 0x0, 0x10, 0xc000079d10)
	runtime/asm_amd64.s:724 +0x50 fp=0xc000079a50 sp=0xc000079a30 pc=0xe5bd30
runtime.callbackWrap(0x16563ffb20)
	runtime/syscall_windows.go:396 +0x134 fp=0xc000079e30 sp=0xc000079a50 pc=0xe48ad4
runtime.cgocallbackg1(0xe489a0, 0x0?, 0x0)
	runtime/cgocall.go:316 +0x2c2 fp=0xc000079f00 sp=0xc000079e30 pc=0xdf4e82
runtime.cgocallbackg(0x0?, 0x0?, 0x0?)
	runtime/cgocall.go:235 +0x105 fp=0xc000079f90 sp=0xc000079f00 pc=0xdf4ac5
runtime.cgocallbackg(0xe489a0, 0x16563ffb20, 0x0)
	<autogenerated>:1 +0x36 fp=0xc000079fb8 sp=0xc000079f90 pc=0xe5fbb6
runtime.cgocallback(0x0, 0x0, 0x0)
	runtime/asm_amd64.s:994 +0xd7 fp=0xc000079fe0 sp=0xc000079fb8 pc=0xe5d8f7
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000079fe8 sp=0xc000079fe0 pc=0xe5db41

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc000073fb0 sp=0xc000073f90 pc=0xe2dff6
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.forcegchelper()
	runtime/proc.go:302 +0xb1 fp=0xc000073fe0 sp=0xc000073fb0 pc=0xe2de91
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000073fe8 sp=0xc000073fe0 pc=0xe5db41
created by runtime.init.6
	runtime/proc.go:290 +0x25

goroutine 3 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc000075f90 sp=0xc000075f70 pc=0xe2dff6
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.bgsweep(0x0?)
	runtime/mgcsweep.go:297 +0xd7 fp=0xc000075fc8 sp=0xc000075f90 pc=0xe15e77
runtime.gcenable.func1()
	runtime/mgc.go:178 +0x26 fp=0xc000075fe0 sp=0xc000075fc8 pc=0xe0a8e6
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000075fe8 sp=0xc000075fe0 pc=0xe5db41
created by runtime.gcenable
	runtime/mgc.go:178 +0x6b

goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc000056070?, 0x41c3a38?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc000085f70 sp=0xc000085f50 pc=0xe2dff6
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.(*scavengerState).park(0x58a83a0)
	runtime/mgcscavenge.go:389 +0x53 fp=0xc000085fa0 sp=0xc000085f70 pc=0xe13eb3
runtime.bgscavenge(0x0?)
	runtime/mgcscavenge.go:622 +0x65 fp=0xc000085fc8 sp=0xc000085fa0 pc=0xe144c5
runtime.gcenable.func2()
	runtime/mgc.go:179 +0x26 fp=0xc000085fe0 sp=0xc000085fc8 pc=0xe0a886
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000085fe8 sp=0xc000085fe0 pc=0xe5db41
created by runtime.gcenable
	runtime/mgc.go:179 +0xaa

goroutine 5 [finalizer wait]:
runtime.gopark(0x0?, 0xc000077e70?, 0xb?, 0x7d?, 0xc000077f70?)
	runtime/proc.go:363 +0xd6 fp=0xc000077e28 sp=0xc000077e08 pc=0xe2dff6
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.runfinq()
	runtime/mfinal.go:180 +0x10f fp=0xc000077fe0 sp=0xc000077e28 pc=0xe099ef
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000077fe8 sp=0xc000077fe0 pc=0xe5db41
created by runtime.createfing
	runtime/mfinal.go:157 +0x45

goroutine 37 [select]:
runtime.gopark(0xc000087f18?, 0x8?, 0x38?, 0x5d?, 0xc000087e50?)
	runtime/proc.go:363 +0xd6 fp=0xc000087cb0 sp=0xc000087c90 pc=0xe2dff6
runtime.selectgo(0xc000087f18, 0xc000087e40, 0xdfe209?, 0x1, 0xe5b835?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc000087df0 sp=0xc000087cb0 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.(*bufferingEventLoop).run(0xc0000fc7e0)
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/eventloop.go:311 +0x1d4 fp=0xc000087fa8 sp=0xc000087df0 pc=0x17e6e34
github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.NewQueue.func1()
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/broker.go:218 +0x67 fp=0xc000087fe0 sp=0xc000087fa8 pc=0x17e52e7
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000087fe8 sp=0xc000087fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.NewQueue
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/broker.go:216 +0x52a

goroutine 21 [GC worker (idle)]:
runtime.gopark(0x168a40c0cc2594?, 0x0?, 0x9?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc000081f50 sp=0xc000081f30 pc=0xe2dff6
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0xc000081fe0 sp=0xc000081f50 pc=0xe0caf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000081fe8 sp=0xc000081fe0 pc=0xe5db41
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25

goroutine 9 [GC worker (idle)]:
runtime.gopark(0x168a40c0cc2594?, 0xc0002504e0?, 0xa0?, 0x3f?, 0xdf6a09?)
	runtime/proc.go:363 +0xd6 fp=0xc000083f50 sp=0xc000083f30 pc=0xe2dff6
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0xc000083fe0 sp=0xc000083f50 pc=0xe0caf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000083fe8 sp=0xc000083fe0 pc=0xe5db41
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25

goroutine 10 [chan receive]:
runtime.gopark(0xc00011cd78?, 0xc000104680?, 0x20?, 0xbf?, 0xe48e25?)
	runtime/proc.go:363 +0xd6 fp=0xc0001dbec8 sp=0xc0001dbea8 pc=0xe2dff6
runtime.chanrecv(0xc000088900, 0xc0001dbfa0, 0x1)
	runtime/chan.go:583 +0x49b fp=0xc0001dbf58 sp=0xc0001dbec8 pc=0xdf6fbb
runtime.chanrecv2(0x12a05f200?, 0x0?)
	runtime/chan.go:447 +0x18 fp=0xc0001dbf80 sp=0xc0001dbf58 pc=0xdf6af8
k8s.io/klog/v2.(*loggingT).flushDaemon(0x0?)
	k8s.io/klog/v2@v2.30.0/klog.go:1181 +0x6a fp=0xc0001dbfc8 sp=0xc0001dbf80 pc=0x1b2920a
k8s.io/klog/v2.init.0.func1()
	k8s.io/klog/v2@v2.30.0/klog.go:420 +0x26 fp=0xc0001dbfe0 sp=0xc0001dbfc8 pc=0x1b26466
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0001dbfe8 sp=0xc0001dbfe0 pc=0xe5db41
created by k8s.io/klog/v2.init.0
	k8s.io/klog/v2@v2.30.0/klog.go:420 +0xf6

goroutine 36 [chan receive]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc0001dde68 sp=0xc0001dde48 pc=0xe2dff6
runtime.chanrecv(0xc0002bc6c0, 0xc0001ddf88, 0x1)
	runtime/chan.go:583 +0x49b fp=0xc0001ddef8 sp=0xc0001dde68 pc=0xdf6fbb
runtime.chanrecv2(0x0?, 0x0?)
	runtime/chan.go:447 +0x18 fp=0xc0001ddf20 sp=0xc0001ddef8 pc=0xdf6af8
github.com/elastic/go-lumber/client/v2.(*AsyncClient).ackLoop(0xc0002fac30)
	github.com/elastic/go-lumber@v0.1.2-0.20220819171948-335fde24ea0f/client/v2/async.go:166 +0xe5 fp=0xc0001ddfc8 sp=0xc0001ddf20 pc=0x1a0f5e5
github.com/elastic/go-lumber/client/v2.(*AsyncClient).startACK.func1()
	github.com/elastic/go-lumber@v0.1.2-0.20220819171948-335fde24ea0f/client/v2/async.go:140 +0x26 fp=0xc0001ddfe0 sp=0xc0001ddfc8 pc=0x1a0f4c6
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0001ddfe8 sp=0xc0001ddfe0 pc=0xe5db41
created by github.com/elastic/go-lumber/client/v2.(*AsyncClient).startACK
	github.com/elastic/go-lumber@v0.1.2-0.20220819171948-335fde24ea0f/client/v2/async.go:140 +0xa5

goroutine 31 [select]:
runtime.gopark(0xc000539e70?, 0x2?, 0x0?, 0x0?, 0xc000539e24?)
	runtime/proc.go:363 +0xd6 fp=0xc000539ca0 sp=0xc000539c80 pc=0xe2dff6
runtime.selectgo(0xc000539e70, 0xc000539e20, 0xc000539f80?, 0x1, 0x0?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc000539de0 sp=0xc000539ca0 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.(*broker).Get(0xc0002bc900, 0x0)
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/broker.go:245 +0xc5 fp=0xc000539ea0 sp=0xc000539de0 pc=0x17e56a5
github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*queueReader).run(0xc000360000, 0xc00057a1e0)
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/queue_reader.go:57 +0x126 fp=0xc000539fc0 sp=0xc000539ea0 pc=0x17a9926
github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run.func1()
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/consumer.go:103 +0x25 fp=0xc000539fe0 sp=0xc000539fc0 pc=0x17a59e5
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000539fe8 sp=0xc000539fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/consumer.go:102 +0x17b

goroutine 50 [select]:
runtime.gopark(0xc000533a10?, 0x2?, 0xc0?, 0xa3?, 0xc0005339ac?)
	runtime/proc.go:363 +0xd6 fp=0xc000533808 sp=0xc0005337e8 pc=0xe2dff6
runtime.selectgo(0xc000533a10, 0xc0005339a8, 0x0?, 0x0, 0x0?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc000533948 sp=0xc000533808 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).snapshotLoop(0xc00011c4b0)
	github.com/elastic/beats/v7/libbeat/monitoring/report/log/log.go:161 +0x23c fp=0xc000533fa8 sp=0xc000533948 pc=0x163d5fc
github.com/elastic/beats/v7/libbeat/monitoring/report/log.MakeReporter.func1()
	github.com/elastic/beats/v7/libbeat/monitoring/report/log/log.go:134 +0x5a fp=0xc000533fe0 sp=0xc000533fa8 pc=0x163d2ba
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000533fe8 sp=0xc000533fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/monitoring/report/log.MakeReporter
	github.com/elastic/beats/v7/libbeat/monitoring/report/log/log.go:132 +0x24a

goroutine 33 [select]:
runtime.gopark(0xc00053bfb0?, 0x2?, 0x5?, 0x0?, 0xc00053bf9c?)
	runtime/proc.go:363 +0xd6 fp=0xc00053be28 sp=0xc00053be08 pc=0xe2dff6
runtime.selectgo(0xc00053bfb0, 0xc00053bf98, 0x3d73c00?, 0x0, 0xf53cc5?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc00053bf68 sp=0xc00053be28 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/common.(*Cache).StartJanitor.func1()
	github.com/elastic/beats/v7/libbeat/common/cache.go:245 +0x7b fp=0xc00053bfe0 sp=0xc00053bf68 pc=0x14f115b
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc00053bfe8 sp=0xc00053bfe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/common.(*Cache).StartJanitor
	github.com/elastic/beats/v7/libbeat/common/cache.go:243 +0xae

goroutine 38 [select]:
runtime.gopark(0xc0001d7f68?, 0x3?, 0xf4?, 0xf1?, 0xc0001d7f42?)
	runtime/proc.go:363 +0xd6 fp=0xc0001d7dc8 sp=0xc0001d7da8 pc=0xe2dff6
runtime.selectgo(0xc0001d7f68, 0xc0001d7f3c, 0xc0001148c0?, 0x0, 0x1?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc0001d7f08 sp=0xc0001d7dc8 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.(*ackLoop).run(0xc0002672c0)
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/ackloop.go:39 +0xa5 fp=0xc0001d7fa8 sp=0xc0001d7f08 pc=0x17e4285
github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.NewQueue.func2()
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/broker.go:222 +0x65 fp=0xc0001d7fe0 sp=0xc0001d7fa8 pc=0x17e51e5
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0001d7fe8 sp=0xc0001d7fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.NewQueue
	github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue/broker.go:220 +0x57e

goroutine 32 [select]:
runtime.gopark(0xc000537f98?, 0x2?, 0xd3?, 0xd1?, 0xc000537f74?)
	runtime/proc.go:363 +0xd6 fp=0xc000537de8 sp=0xc000537dc8 pc=0xe2dff6
runtime.selectgo(0xc000537f98, 0xc000537f70, 0xc00008c780?, 0x0, 0x0?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc000537f28 sp=0xc000537de8 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run(0xc00011c2d0)
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/client_worker.go:123 +0x97 fp=0xc000537fc8 sp=0xc000537f28 pc=0x17a4577
github.com/elastic/beats/v7/libbeat/publisher/pipeline.makeClientWorker.func1()
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/client_worker.go:76 +0x2b fp=0xc000537fe0 sp=0xc000537fc8 pc=0x17a430b
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000537fe8 sp=0xc000537fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/publisher/pipeline.makeClientWorker
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/client_worker.go:76 +0x2a5

goroutine 39 [select]:
runtime.gopark(0xc0002eff48?, 0x5?, 0x0?, 0x0?, 0xc0002efe0e?)
	runtime/proc.go:363 +0xd6 fp=0xc0002efc18 sp=0xc0002efbf8 pc=0xe2dff6
runtime.selectgo(0xc0002eff48, 0xc0002efe04, 0x0?, 0x1, 0xff?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc0002efd58 sp=0xc0002efc18 pc=0xe3db3c
github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run(0xc00008a370)
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/consumer.go:153 +0x3cf fp=0xc0002effa8 sp=0xc0002efd58 pc=0x17a54af
github.com/elastic/beats/v7/libbeat/publisher/pipeline.newEventConsumer.func1()
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/consumer.go:90 +0x5a fp=0xc0002effe0 sp=0xc0002effa8 pc=0x17a503a
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0002effe8 sp=0xc0002effe0 pc=0xe5db41
created by github.com/elastic/beats/v7/libbeat/publisher/pipeline.newEventConsumer
	github.com/elastic/beats/v7/libbeat/publisher/pipeline/consumer.go:88 +0x198

goroutine 51 [syscall]:
runtime.notetsleepg(0x0?, 0x0?)
	runtime/lock_sema.go:294 +0x3c fp=0xc0002ebfa0 sp=0xc0002ebf58 pc=0xdfcafc
os/signal.signal_recv()
	runtime/sigqueue.go:152 +0x2f fp=0xc0002ebfc0 sp=0xc0002ebfa0 pc=0xe5900f
os/signal.loop()
	os/signal/signal_unix.go:23 +0x19 fp=0xc0002ebfe0 sp=0xc0002ebfc0 pc=0x17aca59
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0002ebfe8 sp=0xc0002ebfe0 pc=0xe5db41
created by os/signal.Notify.func1.1
	os/signal/signal.go:151 +0x2a

goroutine 52 [chan receive]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc0002ede88 sp=0xc0002ede68 pc=0xe2dff6
runtime.chanrecv(0xc0002f4b40, 0xc0002edfb0, 0x1)
	runtime/chan.go:583 +0x49b fp=0xc0002edf18 sp=0xc0002ede88 pc=0xdf6fbb
runtime.chanrecv1(0x0?, 0x0?)
	runtime/chan.go:442 +0x18 fp=0xc0002edf40 sp=0xc0002edf18 pc=0xdf6ab8
github.com/elastic/elastic-agent-libs/service.HandleSignals.func1()
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service.go:50 +0x5e fp=0xc0002edfe0 sp=0xc0002edf40 pc=0x17ae3fe
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0002edfe8 sp=0xc0002edfe0 pc=0xe5db41
created by github.com/elastic/elastic-agent-libs/service.HandleSignals
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service.go:49 +0x18f

goroutine 53 [syscall, locked to thread]:
runtime.cgocall(0xe5f440, 0x58a97e0)
	runtime/cgocall.go:158 +0x4a fp=0xc0004e9e00 sp=0xc0004e9dc8 pc=0xdf48ea
syscall.SyscallN(0x7ff839d76320?, {0xc0004e9e98?, 0x3?, 0x0?})
	runtime/syscall_windows.go:557 +0x109 fp=0xc0004e9e78 sp=0xc0004e9e00 pc=0xe5a409
syscall.Syscall(0xc0000f0630?, 0x60?, 0x0?, 0xc0004e9ef8?, 0x11c2cdf?)
	runtime/syscall_windows.go:495 +0x3b fp=0xc0004e9ec0 sp=0xc0004e9e78 pc=0xe5a01b
golang.org/x/sys/windows.StartServiceCtrlDispatcher(0xc00004e1c0?)
	golang.org/x/sys@v0.6.0/windows/zsyscall_windows.go:1322 +0x55 fp=0xc0004e9f08 sp=0xc0004e9ec0 pc=0x11c4555
golang.org/x/sys/windows/svc.Run({0xc00004e1c0?, 0x3e?}, {0x41cb400?, 0x589c340?})
	golang.org/x/sys@v0.6.0/windows/svc/service.go:292 +0x12c fp=0xc0004e9f50 sp=0xc0004e9f08 pc=0x17adbac
github.com/elastic/elastic-agent-libs/service.ProcessWindowsControlEvents(0xc0002c44e0)
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service_windows.go:118 +0x187 fp=0xc0004e9fc8 sp=0xc0004e9f50 pc=0x17afc07
github.com/elastic/elastic-agent-libs/service.HandleSignals.func3()
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service.go:58 +0x26 fp=0xc0004e9fe0 sp=0xc0004e9fc8 pc=0x17ae2a6
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0004e9fe8 sp=0xc0004e9fe0 pc=0xe5db41
created by github.com/elastic/elastic-agent-libs/service.HandleSignals
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service.go:58 +0x245

goroutine 40 [chan receive]:
runtime.gopark(0xc000366400?, 0xc00057aed0?, 0x0?, 0x0?, 0xc000535db0?)
	runtime/proc.go:363 +0xd6 fp=0xc000535d48 sp=0xc000535d28 pc=0xe2dff6
runtime.chanrecv(0xc000112f00, 0xc000535ea8, 0x1)
	runtime/chan.go:583 +0x49b fp=0xc000535dd8 sp=0xc000535d48 pc=0xdf6fbb
runtime.chanrecv2(0x0?, 0x3b836e4?)
	runtime/chan.go:447 +0x18 fp=0xc000535e00 sp=0xc000535dd8 pc=0xdf6af8
github.com/elastic/elastic-agent-libs/service.(*beatService).Execute(0x589c340, {0x0?, 0x0?, 0x0?}, 0x0?, 0x0?)
	github.com/elastic/elastic-agent-libs@v0.3.3/service/service_windows.go:52 +0xd6 fp=0xc000535f90 sp=0xc000535e00 pc=0x17af6d6
golang.org/x/sys/windows/svc.serviceMain.func2()
	golang.org/x/sys@v0.6.0/windows/svc/service.go:232 +0x45 fp=0xc000535fe0 sp=0xc000535f90 pc=0x17ad9c5
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc000535fe8 sp=0xc000535fe0 pc=0xe5db41
created by golang.org/x/sys/windows/svc.serviceMain
	golang.org/x/sys@v0.6.0/windows/svc/service.go:231 +0x2c5

goroutine 54 [select]:
runtime.gopark(0xc0002e9ef0?, 0x3?, 0xb8?, 0x9d?, 0xc0002e9eaa?)
	runtime/proc.go:363 +0xd6 fp=0xc0002e9d30 sp=0xc0002e9d10 pc=0xe2dff6
runtime.selectgo(0xc0002e9ef0, 0xc0002e9ea4, 0x0?, 0x0, 0x0?, 0x1)
	runtime/select.go:328 +0x7dc fp=0xc0002e9e70 sp=0xc0002e9d30 pc=0xe3db3c
github.com/elastic/beats/v7/winlogbeat/checkpoint.(*Checkpoint).run(0xc000577d60)
	github.com/elastic/beats/v7/winlogbeat/checkpoint/checkpoint.go:135 +0x1ab fp=0xc0002e9fc8 sp=0xc0002e9e70 pc=0x256820b
github.com/elastic/beats/v7/winlogbeat/checkpoint.NewCheckpoint.func1()
	github.com/elastic/beats/v7/winlogbeat/checkpoint/checkpoint.go:110 +0x26 fp=0xc0002e9fe0 sp=0xc0002e9fc8 pc=0x2568026
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0002e9fe8 sp=0xc0002e9fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/winlogbeat/checkpoint.NewCheckpoint
	github.com/elastic/beats/v7/winlogbeat/checkpoint/checkpoint.go:110 +0x216

goroutine 56 [chan receive]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0xc0004e5ef8 sp=0xc0004e5ed8 pc=0xe2dff6
runtime.chanrecv(0xc00008c540, 0x0, 0x1)
	runtime/chan.go:583 +0x49b fp=0xc0004e5f88 sp=0xc0004e5ef8 pc=0xdf6fbb
runtime.chanrecv1(0x0?, 0x0?)
	runtime/chan.go:442 +0x18 fp=0xc0004e5fb0 sp=0xc0004e5f88 pc=0xdf6ab8
github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run.func2()
	github.com/elastic/beats/v7/winlogbeat/beater/eventlogger.go:121 +0x31 fp=0xc0004e5fe0 sp=0xc0004e5fb0 pc=0x258a2f1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0xc0004e5fe8 sp=0xc0004e5fe0 pc=0xe5db41
created by github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run
	github.com/elastic/beats/v7/winlogbeat/beater/eventlogger.go:120 +0x3d0
rax     0x0
rbx     0x1
rcx     0x0
rdi     0x1655dffaf0
rsi     0x0
rbp     0x1655dff930
rsp     0x1655dff828
r8      0x2
r9      0x7ff839480000
r10     0x1655dff9b8
r11     0x0
r12     0x0
r13     0x1e22095def0
r14     0x0
r15     0x0
rip     0x7ff8394ce254
rflags  0x10202
cs      0x33
fs      0x53
gs      0x2b

Mike7 · May 9, 2023, 2:17pm

I just noticed one more thing in Sysinternal Process Monitor:
Basically directly before the crash winlogbeat.exe is trying to access C:\Windows\System32\Microsoft-Windows-Security-Mitigations.

Actually - considering the configuration in winlogbeat.yml - winlogbeat shouldn't be interested at all in this area. It should only consider the logs in "Forwarded Events".

Interestingly the first forwarded event in the list of "forwarded events" originating from an external system is initially from Microsoft-Windows-Security-Mitigations (windows event is following):

[-](#) <Event xmlns="**http://schemas.microsoft.com/win/2004/08/events/event** ">
[-](#) <System>
<Provider Name="**Microsoft-Windows-Security-Mitigations** " Guid="**{fae10392-f0af-4ac0-b8ff-9f4d920c3cdf}** " />
<EventID>10</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="**2023-05-08T13:30:00.8624216Z** " />
<EventRecordID>102906</EventRecordID>
<Correlation />
<Execution ProcessID="**13496** " ThreadID="**14392** " />
<Channel>Microsoft-Windows-Security-Mitigations/KernelMode</Channel>
<Computer>DES020.example.com</Computer>
<Security UserID="**S-1-5-21-1234567890-1234567890-123456789-1234** " />
</System>
[-](#) <EventData>
<Data Name="**ProcessPathLength** ">84</Data>
<Data Name="**ProcessPath** ">\Device\HarddiskVolume4\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe</Data>
<Data Name="**ProcessCommandLineLength** ">512</Data>
<Data Name="**ProcessCommandLine** ">"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=proxy_resolver.mojom.ProxyResolverFactory --lang=en-US --service-sandbox-type=service --log-severity=disable --user-agent-product="ReaderServices/23.1.20143 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\sven.dudas\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=3164 --field-trial-handle=1636,i,6053985548598525494</Data>
<Data Name="**CallingProcessId** ">13496</Data>
<Data Name="**CallingProcessCreateTime** ">2023-05-08T13:30:00.8517621Z</Data>
<Data Name="**CallingProcessStartKey** ">96827391988470059</Data>
<Data Name="**CallingProcessSignatureLevel** ">0</Data>
<Data Name="**CallingProcessSectionSignatureLevel** ">0</Data>
<Data Name="**CallingProcessProtection** ">0</Data>
<Data Name="**CallingThreadId** ">14392</Data>
<Data Name="**CallingThreadCreateTime** ">2023-05-08T13:30:00.8517636Z</Data>
</EventData>
[-](#) <RenderingInfo Culture="**en-US** ">
<Message />
<Level />
<Task />
<Opcode />
<Channel />
<Provider />
<Keywords />
</RenderingInfo>
</Event>

So I guess it is no coincidence that winlogbeat.exe is trying to look into an area which the client - who forwarded the event - is mentioning in the "Provioder Name" section.

Also I noticed that for this event the whole "RenderingInfo" section is blank. That also means nothing is shown for this particular event in the Windows event log "General" tab.

Maybe some of that additional information helps to guide me into the right direction for fixing that issue.

andrewkroh · May 9, 2023, 11:47pm

Could you please try running with

winlogbeat.event_logs:
  - name: ForwardedEvents
    forwarded: true

I think something may have changed in Windows. This might help you work around the issue assuming you are forwarding events in "RenderedText" mode.

Mike7 · May 10, 2023, 7:49am

Hi @andrewkroh,

Thank you!
That doesn't help unfortunately (just tried it) but it seems like I found the answer to this issue yesterday already after searching for a while in a pull request.
Due to my limited understanding on how GitHub works I thought the fix should be already included in 8.7.0 but one of the team members just wrote an hour ago in that pull request that this will be fixed in 8.7.2.

Now, since 8.7.1 has been released just recently and, again, my limited GitHub knowledge - is there some place where I can find "nightly" builds or something like that? My search was not successful.
I guess it might take a while otherwise until 8.7.2 gets released officially.

andrewkroh · May 10, 2023, 1:03pm

This API returns URLs to snapshot builds.

https://artifacts-api.elastic.co/v1/versions/8.7.2-SNAPSHOT/builds/latest/projects/beats

Mike7 · May 10, 2023, 1:47pm

@andrewkroh, thank you! Winlogbeat ist working for now and no longer crashing since I replaced the .exe from the 8.7.2 snapshot builds.
Ist that worth mentioning in the pull request 34865 that I linked? Or would that be considered spam?

andrewkroh · May 10, 2023, 2:39pm

That would be appreciated. Thank you.

system · June 7, 2023, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.