Winlogbeat "channel not found error" floods log

C0FFEEC0FFEE · May 2, 2023, 2:55pm

Since https://github.com/elastic/beats/pull/34605, the winlogbeat logfile is flooded with "channel not found" errors if a non-existent channel is configured in winlogbeat.yml.

For each channel which isn't found, this error is logged every 5 seconds:

{"log.level":"warn","@timestamp":"2023-05-02T16:37:12.486+0200","log.logger":"winlogbeat","log.origin":{"file.name":"beater/eventlogger.go","file.line":144},"message":"Open() encountered channel not found error. Trying again...","service.name":"winlogbeat","id":"Directory Service","error":{"message":"The specified channel could not be found."},"channel":"Directory Service","ecs.version":"1.6.0"}

My current strategy for configuring winlogbeats is listing all the channels which I'd want to collect (if they exist), regardless of the channels available on the systems. Due to this change I'm left with either maintaining multiple winlogbeat.yml configuration files or disabling logging.

Would it be possible to log this error less often?

taylor-swanson · May 3, 2023, 3:02pm

Hey @C0FFEEC0FFEE, thanks for bringing this up.

I'll write up an issue shortly to reduce the amount of logging for this message. What I'm thinking is keeping the first log of this kind at the "warn" level, then either suppress subsequent messages altogether or move them to the debug level (probably the latter).

Edit: Link to issue: [Winlogbeat] Suppress excessive channel not found warning messages · Issue #35314 · elastic/beats · GitHub

C0FFEEC0FFEE · May 4, 2023, 7:58am

Thanks

system · June 1, 2023, 9:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.