Winlogbeat does not write specific eventlog status in registry file


(Ld57) #1

Hello all,

We meet a strange issue where a specific monitored eventlog does not appear in the registry file, and when we restart winlogbeat, it resends again from the beginning.
This does not affect eventlogs system, security or Application.

Conditions :
winlogbeat 6.2.3
windows server 2016
logstash 6.2.3

we use windows event subscription to send some events from multiple machines to one.
These go to "Forwarded Events" eventlog

Get-WinEvent -ListLog * | Format-List -Property LogName
...
LogName : Application
LogName : HardwareEvents
LogName : Internet Explorer
LogName : Key Management Service
LogName : Operations Manager
LogName : Security
LogName : System
LogName : Windows PowerShell
LogName : ForwardedEvents
...

we use winlogbeat to monitor ForwardedEvents.
Winlogbeat monitors and send correctly events from ForwardedEvents to Es ou logstash (situation here).
the issue is just it always restarts from beginning.

here the winlogbeat.yml

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: ForwardedEvents
  # - name: Application
    ignore_older: 72h
  # - name: Security
  # - name: System

#adding options
fields_under_root: true
fields:
#  env: staging
  type: misp_winlogbeat

#Output
output.logstash:
  # The Logstash hosts
  hosts: ["10.10.10.10:1010"]

and here the registry file content

update_time: 2018-04-19T16:46:54.1673795Z
event_logs:
- name: Microsoft-Windows-AppLocker/EXE and DLL
  record_number: 13234061
  timestamp: 2018-04-19T16:45:57.1890798Z
- name: Microsoft-Windows-AppLocker/MSI and Script
  record_number: 9580
  timestamp: 2018-04-19T16:30:03.9205687Z
- name: Microsoft-Windows-Sysmon/Operational
  record_number: 4867521
  timestamp: 2018-04-19T16:44:14.9419412Z
- name: Security
  record_number: 4400953
  timestamp: 2018-04-19T16:46:46.6696393Z
- name: System
  record_number: 60742
  timestamp: 2018-04-19T12:57:06Z

I do not understand why I see those eventlogs, but not mine specified in the config file (ForwardedEvents)

Did I do something wrong ?

Rgrds,

Ld


(Adrian Serrano) #2

Is there any error or warning printed to winlogbeat.log ?

Please share the debug log resulting of running winlogbeat with the -d * option.


(Adrian Serrano) #3

Hi @ld57,

My mistake, I was convinced that support for Forwarded Events was available in 6.2, but it isn't there. You can wait for 6.3 which is around the corner or use a snapshot build.


(Ld57) #4

Hi @adrisr ,

sorry for the delay but I could not work on this and as it was running fine (till a restart), it was not a priority.

I will test the 6.3.x version and will give a feedback.

KR

Fred


(Gautier Franchini) #5

Same issue here; is anyone already perform a check with the latest 6.3 version?
kr,
O.


(Conniia) #6

Logstash server ip 5044 port did not receive the log from winlogbeat, how to solve it?Thanks


(Adrian Serrano) #7

Please open a separate question and provide more context, including your configuration and winlogbeat output if possible


(Ld57) #8

Hi,

unlucky, could not test it in 6.3 version yet.

anyone ?

Fred


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.