Winlogbeat 9.1.3 - agent logs floodinig with warnings

I recently upgraded my setup from 8.18.2 to 9.0.4, and upgraded my Winlogbeats to 9.1.3. Since doing that upgrade, the logs for my winlogbeat agents are being flooded with logs like

{"log.level":"warn","@timestamp":"2025-09-03T13:09:54.494-0500","log.logger":"wineventlog.renderer","log.origin":{"function":"github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.(*Renderer).addEventData","file.name":"wineventlog/renderer.go","file.line":308},"message":"The number of event data parameters doesn't match the number of parameters in the template.","service.name":"winlogbeat","id":"WEC-Process-Execution","channel":"WEC-Process-Execution","provider":"Microsoft-Windows-Security-Auditing","event_id":4688,"event_parameter_count":14,"template_parameter_count":15,"template_version":2,"event_version":2,"ecs.version":"1.6.0"}

The id and channel change depending on the log in question, and it appears that switching to ‘include_xml: true’ on the channel configuration appears to alleviate the issue; I’m not sure if this is a bug in the windows event API, or if I might have something misconfigured. Looking for any guidance, other than setting all channels to include_xml that might resolve these warnings.

Example channel config:

  - name: WEC-Process-Execution
    ignore_older: 72h
    forwarded: true
    tags: ["forwarded","wec-process-execution"]

Hello!

I see you are using forwarded events. Winlogbeat uses an internal metadata cache that takes the local provider manifests to render the events. For forwarded events it is possible the version the origin hosts are using for the events does not coincide with the one available in that cache, hence the warnings. Enabling include_xml makes them disappear because it bypasses that and directly writes the whole event as an xml. We recently merged a fix for this which will be released for 9.1.4, but for now the only way to make them go away is by enabling include_xml.