Winlogbeat 9.1.3 - agent logs floodinig with warnings

novaksam · September 3, 2025, 6:48pm

I recently upgraded my setup from 8.18.2 to 9.0.4, and upgraded my Winlogbeats to 9.1.3. Since doing that upgrade, the logs for my winlogbeat agents are being flooded with logs like

{"log.level":"warn","@timestamp":"2025-09-03T13:09:54.494-0500","log.logger":"wineventlog.renderer","log.origin":{"function":"github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.(*Renderer).addEventData","file.name":"wineventlog/renderer.go","file.line":308},"message":"The number of event data parameters doesn't match the number of parameters in the template.","service.name":"winlogbeat","id":"WEC-Process-Execution","channel":"WEC-Process-Execution","provider":"Microsoft-Windows-Security-Auditing","event_id":4688,"event_parameter_count":14,"template_parameter_count":15,"template_version":2,"event_version":2,"ecs.version":"1.6.0"}

The id and channel change depending on the log in question, and it appears that switching to ‘include_xml: true’ on the channel configuration appears to alleviate the issue; I’m not sure if this is a bug in the windows event API, or if I might have something misconfigured. Looking for any guidance, other than setting all channels to include_xml that might resolve these warnings.

Example channel config:

  - name: WEC-Process-Execution
    ignore_older: 72h
    forwarded: true
    tags: ["forwarded","wec-process-execution"]

github.com/elastic/beats

winlogbeat/sys/wineventlog/renderer.go

d9d2860c7


      
          // addEventData adds the event/user data values to the event.
          func (r *Renderer) addEventData(evtMeta *EventMetadata, values []interface{}, event *winevent.Event) {
          	if len(values) == 0 {
          		return
          	}
          
          	if evtMeta == nil {
          		r.log.Warnw("Event metadata not found.",
          			"provider", event.Provider.Name,
          			"event_id", event.EventIdentifier.ID)
          	} else if len(values) != len(evtMeta.EventData.Params) {
          		r.log.Warnw("The number of event data parameters doesn't match the number "+
          			"of parameters in the template.",
          			"provider", event.Provider.Name,
          			"event_id", event.EventIdentifier.ID,
          			"event_parameter_count", len(values),
          			"template_parameter_count", len(evtMeta.EventData.Params),
          			"template_version", evtMeta.Version,
          			"event_version", event.Version)
          	}

marc.guasch · September 4, 2025, 9:43am

Hello!

I see you are using forwarded events. Winlogbeat uses an internal metadata cache that takes the local provider manifests to render the events. For forwarded events it is possible the version the origin hosts are using for the events does not coincide with the one available in that cache, hence the warnings. Enabling include_xml makes them disappear because it bypasses that and directly writes the whole event as an xml. We recently merged a fix for this which will be released for 9.1.4, but for now the only way to make them go away is by enabling include_xml.

Topic		Replies	Views
"INFO Non-zero metrics in the last 30s" with Winlogbeat Beats winlogbeat	2	1240	February 7, 2019
Message filed is missing when Winlogbeat is used Beats winlogbeat	12	2554	October 10, 2017
Winlogbeat "channel not found error" floods log Beats winlogbeat	3	590	June 1, 2023
WinLogBeat and Windows Server 2019 Beats winlogbeat	6	1831	April 9, 2021
Winlogbeat maximum size of event? Beats winlogbeat	15	2443	July 5, 2017

Winlogbeat 9.1.3 - agent logs floodinig with warnings

Related topics