Winlogbeat - ERROR checkpoint/checkpoint.go:199

Elastic Stack Beats
1

Hi everyone,

To explain you simply the architecture; we collect sources windows log through our Windows Log Collector and Collector Server forward logs to SOC team with a specify number of events ID with winlogbeat 6.8
But when I check with a simple tail (windows) command, i have often this line (and this line never appeared before I specified each event ID):

[...] ERROR checkpoint/checkpoint.go:199 rename C:\ProgramData\winlogbeat.winlogbeat.yml.new C:\ProgramData\winlogbeat.winlogbeat.yml: Access is denied.

What's wrong with that ? I don't find any issue like this on internet.

A part of my winlogbeat.yml:

  • name: ForwardedEvents
    fields_under_root: true
    fields:
    env: OPERATIONNAL
    ignore_older: 1h
    forwarded: true
    processors:
    - drop_event.when.not.or:
    - equals.winlog.event_id: 6
    - equals.winlog.event_id: 104
    - equals.winlog.event_id: 1100
    [...]
    - equals.winlog.event_id: 4803

Other question, is it possible to show precisly the event send with winlogbeat, not a line like this :

INFO beater/eventlogger.go:73 EventLog[ForwardedEvents] successfully published 1 events

Thanks for your time,
Regards,

2

Welcome @Mickael1 to our community forums!

  1. It seems that you are encountering an issue with the registry file. Are you running Winlogbeat as a service or with command line? Since the error is Access is denied, it could be a permission issue?

  2. I am also surprised to see such files names in this error message. The recommendation is to set the registry value to C:/ProgramData/winlogbeat/.winlogbeat.yml . Could you share the winlogbeat.yml configuration file?

  3. Depending on the above, one action could be to stop Winlogbeat, delete the registry files and check if that solves the problem.

  4. In a near future, you may also want to consider upgrading Winlogbeat to the latest version.

  5. Regarding the logs, you could configure the logging.level to debug in the winlogbeat.yml configuration file or run Winlogbeat with debug logging with the following command winlogbeat -e -d "*".

I hope that helps.

3

Thanks romain for the quick response,

I actually running winlogebeat as a service, and I didn't change anything with the actual permission. I simply restarted the service after a few weeks to implement some modifications.

Yeah sure, here you have :

###################### Winlogbeat Configuration ##########################

#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:

- name: System

- name: Application

  • name: Security
    ignore_older: 1h
    fields_under_root: true
    fields:
    env: OPERATIONNEL
    processors:
    • drop_event.when.not.or:
      • equals.winlog.event_id: 6
      • equals.winlog.event_id: 104
      • equals.winlog.event_id: 1100
        […]
      • equals.winlog.event_id: 4803
  • name: ForwardedEvents
    fields_under_root: true
    fields:
    env: OPERATIONNEL
    ignore_older: 1h
    forwarded: true
    processors:
    • drop_event.when.not.or:
      • equals.winlog.event_id: 6
      • equals.winlog.event_id: 104
      • equals.winlog.event_id: 1100
        […]
      • equals.winlog.event_id: 4803

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false

#================================ General =====================================

tags: ["winlogbeat"]

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["XXX.XXX.XXX.XXX:5044"]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

Configure processors to enhance or manipulate events generated by the beat.

output.console:
pretty: true
output.file:
path: "C:\winlogbeat\data"
filename: winlogbeat_debug.txt
processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~
    #================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

logging.level: info
logging.to_files: true
logging.files:
path: C:\winlogbeat\data
name: log-winlogbeat
keepfiles: 30

At debug level, you can selectively enable logging only for some components.

To enable all selectors use ["*"]. Examples of other selectors are "beat",

"publish", "service".

#logging.selectors: ["*"]

Ok, i will test that in the day

Yes, but unfortunaltely it is not my choice to use this version, personally I would have probably used the last one :slight_smile:

I actually thought about it right after I sent my message, by the way I have an other question about this. I specify events ID in configuration file, but I see there is an event always forwarded (EventID: 7036), and he is not on my list. I did something wrong ?

Regards,

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.