I recently upgraded my setup from 8.18.2 to 9.0.4, and upgraded my Winlogbeats to 9.1.3. Since doing that upgrade, the logs for my winlogbeat agents are being flooded with logs like
{"log.level":"warn","@timestamp":"2025-09-03T13:09:54.494-0500","log.logger":"wineventlog.renderer","log.origin":{"function":"github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.(*Renderer).addEventData","file.name":"wineventlog/renderer.go","file.line":308},"message":"The number of event data parameters doesn't match the number of parameters in the template.","service.name":"winlogbeat","id":"WEC-Process-Execution","channel":"WEC-Process-Execution","provider":"Microsoft-Windows-Security-Auditing","event_id":4688,"event_parameter_count":14,"template_parameter_count":15,"template_version":2,"event_version":2,"ecs.version":"1.6.0"}
The id and channel change depending on the log in question, and it appears that switching to ‘include_xml: true’ on the channel configuration appears to alleviate the issue; I’m not sure if this is a bug in the windows event API, or if I might have something misconfigured. Looking for any guidance, other than setting all channels to include_xml that might resolve these warnings.
Example channel config:
- name: WEC-Process-Execution
ignore_older: 72h
forwarded: true
tags: ["forwarded","wec-process-execution"]