Winlogbeat.event_logs adding level causes data to stop flowing into Elasticsearch

Elastic Stack Beats
1

When I add level to any name, Application, Security or System, to only get those level events, the connection from the server in question, Windows Server 2008, breaks. Removing the level, and the connection comes back.
config snip;
winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h
  • name: Security
  • name: System
    This works fine.

This does not;
winlogbeat.event_logs:

  • name: Application
    level: error
    ignore_older: 72h
  • name: Security
    level: critical, error, warning
  • name: System
    level: error,warning

Confusion abounds.

2

Has anyone had this problem?
Is it a rookie config error?

3

Are you sure that it's not working? Or is it just that there are very few events with level:error or level:warning. Looking at my events, the vast majority are information.

"level: Descending",Count
Information,"2,499,092"
Error,"1,021"
Warning,189
Critical,1

One test you could do is to

  1. Use the Windows Event Viewer to verify that events with level error, warning, or critical exist.
  2. Stop Winlogbeat.
  3. Backup and then delete/move the registry file at C:\ProgramData\winlogbeat\.winlogbeat.yml so that it starts reading from the beginning of each event log.
  4. Remove ignore_older from the config file.
  5. Add tags: [level_test] to the config file so that it's easy to identify events from this test in Elasticsearch.
  6. Add level: critical, error, warning to each of the event_logs in your config file.
  7. Start Winlogbeat and see if any events are written to Elasticsearch.
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.