Winlogbeat.event_logs adding level causes data to stop flowing into Elasticsearch

jeffpool · December 14, 2018, 8:29pm

When I add level to any name, Application, Security or System, to only get those level events, the connection from the server in question, Windows Server 2008, breaks. Removing the level, and the connection comes back.
config snip;
winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: Security
name: System
This works fine.

This does not;
winlogbeat.event_logs:

name: Application
level: error
ignore_older: 72h
name: Security
level: critical, error, warning
name: System
level: error,warning

Confusion abounds.

jeffpool · January 10, 2019, 4:38pm

Has anyone had this problem?
Is it a rookie config error?

andrewkroh · January 27, 2019, 4:12pm

Are you sure that it's not working? Or is it just that there are very few events with level:error or level:warning. Looking at my events, the vast majority are information.

"level: Descending",Count
Information,"2,499,092"
Error,"1,021"
Warning,189
Critical,1

One test you could do is to

Use the Windows Event Viewer to verify that events with level error, warning, or critical exist.
Stop Winlogbeat.
Backup and then delete/move the registry file at C:\ProgramData\winlogbeat\.winlogbeat.yml so that it starts reading from the beginning of each event log.
Remove ignore_older from the config file.
Add tags: [level_test] to the config file so that it's easy to identify events from this test in Elasticsearch.
Add level: critical, error, warning to each of the event_logs in your config file.
Start Winlogbeat and see if any events are written to Elasticsearch.

system · February 24, 2019, 4:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.