Winlogbeat Fatal Error 8.7.0+ name already used

dwissm1 · June 28, 2023, 2:00pm

Hey Folks,

Running into some fatal errors with Winlogbeat. Started happening around 8.7.0 and I am now getting to try to fix it. I was on 8.6.2 and and was working fine, anything 8.7+ it has a fatal error but if I go back to 8.6.2 works fine. Installed on Windows 10 fully patched. Nothing special on the OS... testing host.

Running into a wall if anyone has ideas or suggestions.

Things I tried:

Total Uninstall and reinstall from scratch.
Service installs, but wont start. (install and run script below)
Tried to start manually without the service. No joy.

PS Script to install Service looks like this (has some jinja templating):
path:
home: c:\Program Files\winlogbeat
config: c:\Program Files\winlogbeat
data: c:\ProgramData\winlogbeat
logs: c:\ProgramData\winlogbeat\logs

# Delete and stop the service if it already exists.
if (Get-Service winlogbeat -ErrorAction SilentlyContinue) {
  $service = Get-WmiObject -Class Win32_Service -Filter "name='winlogbeat'"
  $service.StopService()
  Start-Sleep -s 1
  $service.delete()
}

$workdir = Split-Path $MyInvocation.MyCommand.Path

# Create the new service.
New-Service -name winlogbeat `
  -displayName Winlogbeat `
  -binaryPathName "`"{{path.home}}\winlogbeat.exe`"  -c `"{{path.home}}\winlogbeat.yml`" --environment=windows_service --path.home `"{{path.home}}`" --path.data `"{{path.data}}`" --path.logs `"{{path.logs}}`" -E logging.files.redirect_stderr=true"

# Attempt to set the service to delayed start using sc config.
Try {
  Start-Process -FilePath sc.exe -ArgumentList 'config winlogbeat start=delayed-auto'
}
Catch { Write-Host -f red "An error occured setting the service to delayed start." }

Error is below:

{"log.level":"info","@timestamp":"2023-06-28T09:26:54.142-0400","log.origin":{"file.name":"runtime/panic.go","file.line":890},"message":"winlogbeat stopped.","service.name":"winlogbeat","ecs.version":"1.6.0"}

{"log.level":"fatal","@timestamp":"2023-06-28T09:26:54.143-0400","log.logger":"winlogbeat","log.origin":{"file.name":"instance/beat.go","file.line":208},"message":"Failed due to panic.","service.name":"winlogbeat","error":{"message":"name Application already used"},"stack":"github.com/elastic/beats/v7/libbeat/cmd/instance.Run.func1.1\n\tgithub.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:209\nruntime.gopanic\n\truntime/panic.go:884\ngithub.com/elastic/elastic-agent-libs/monitoring.panicErr\n\tgithub.com/elastic/elastic-agent-libs@v0.3.3/monitoring/registry.go:257\ngithub.com/elastic/elastic-agent-libs/monitoring.(*Registry).Add\n\tgithub.com/elastic/elastic-agent-libs@v0.3.3/monitoring/registry.go:155\ngithub.com/elastic/elastic-agent-libs/monitoring.(*Registry).NewRegistry\n\tgithub.com/elastic/elastic-agent-libs@v0.3.3/monitoring/registry.go:94\ngithub.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewInputRegistry\n\tgithub.com/elastic/beats/v7/libbeat/monitoring/inputmon/input.go:55\ngithub.com/elastic/beats/v7/winlogbeat/eventlog.newInputMetrics\n\tgithub.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:667\ngithub.com/elastic/beats/v7/winlogbeat/eventlog.newWinEventLog\n\tgithub.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:274\ngithub.com/elastic/beats/v7/winlogbeat/eventlog.New\n\tgithub.com/elastic/beats/v7/winlogbeat/eventlog/factory.go:128\ngithub.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).init\n\tgithub.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:94\ngithub.com/elastic/beats/v7/winlogbeat/beater.New\n\tgithub.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:80\ngithub.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater\n\tgithub.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:394\ngithub.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch\n\tgithub.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:470\ngithub.com/elastic/beats/v7/libbeat/cmd/instance.Run.func1\n\tgithub.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:217\ngithub.com/elastic/beats/v7/libbeat/cmd/instance.Run\n\tgithub.com/elastic/beats/v7/libbeat/cmd/instance/beat.go:218\ngithub.com/elastic/beats/v7/libbeat/cmd.genRunCmd.func1\n\tgithub.com/elastic/beats/v7/libbeat/cmd/run.go:36\ngithub.com/spf13/cobra.(*Command).execute\n\tgithub.com/spf13/cobra@v1.3.0/command.go:860\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tgithub.com/spf13/cobra@v1.3.0/command.go:974\ngithub.com/spf13/cobra.(*Command).Execute\n\tgithub.com/spf13/cobra@v1.3.0/command.go:902\nmain.main\n\tgithub.com/elastic/beats/v7/x-pack/winlogbeat/main.go:14\nruntime.main\n\truntime/proc.go:250","ecs.version":"1.6.0"}

andrewkroh · June 28, 2023, 2:57pm

Can you please share the configuration file you are using as well.

dwissm1 · June 28, 2023, 4:00pm

Sure.

Jinja:

elasticsearch_host: "x.x.1.7:9200"
protocol: "https"
elasticsearch_user: "elastic"
kibana_host: "x.x.1.7:5601"

path:
  home: c:\Program Files\winlogbeat
  config: c:\Program Files\winlogbeat
  data: c:\ProgramData\winlogbeat
  logs: c:\ProgramData\winlogbeat\logs

winlogbeat.event_logs:
  - name: Application
    event_id: 1000, 1002
    ignore_older: 72h
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    event_id: 1001
    ignore_older: 72h
    level: info
    provider:
      - Windows Error Reporting

  - name: Security
    event_id: 4740
    level: info
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Auditing

  - name: System
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Eventlog
  - name: Security
    ignore_older: 72h
    event_id: 1100, 1104, 1105, 1108

  - name: Security
    level: info
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Auditing

  - name: Security
    event_id: 4627, 4703, 4704, 4705, 4720, 4737-4739, 4780-4782, 4793, 4794, 4798, 4799, 5376, 5377
    ignore_older: 72h
  - name: Security
    event_id: 4722-4735
    ignore_older: 72h
  - name: Security
    event_id: 4741-4753
    ignore_older: 72h
  - name: Security
    event_id: 4754-4767
    ignore_older: 72h

  - name: Security
    event_id: 4624-4626, 4647, 4649, 4675, 4774-4779, 4800-4803, 4964, 5378
    ignore_older: 72h

  - name: Autoruns
    ignore_older: 72h

  - name: Security
    event_id: 4886, 4887, 4888
    ignore_older: 72h

  - name: Microsoft-Windows-CodeIntegrity/Operational
    event_id: 3001, 3002, 3003, 3004, 3010, 3023
    ignore_older: 72h
    level: error, warning
    provider:
      - Microsoft-Windows-CodeIntegrity
  - name: Security
    event_id: 5038, 6281, 6410
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-Security-Auditing

  - name: System
    event_id: 219
    ignore_older: 72h
    level: warning
    provider:
      - Microsoft-Windows-Kernel-PnP
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    event_id: 2004
    ignore_older: 72h

  - name: System
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Defender/Operational
    event_id: 1121, 1122, 5007
    ignore_older: 72h
  - name: Microsoft-Windows-Windows Defender/WHC
    event_id: 1121, 1122, 5007
    ignore_older: 72h
  - name: Microsoft-Windows-Security-Mitigations/KernelMode
    event_id: 1-9, 11-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Security-Mitigations/KernelMode
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Concurrency
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Concurrency
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Contention
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Contention
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Messages
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Messages
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Operational
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Operational
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Power
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Power
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Render
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Render
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Tracing
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/Tracing
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/UIPI
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Win32k/UIPI
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: System
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: System
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Security-Mitigations/UserMode
    event_id: 1-12, 5, 260
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Security-Mitigations/UserMode
    event_id: 12-24
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Security-Mitigations
      - Microsoft-Windows-WER-Diag
      - Microsoft-Windows-Win32kv
      - Win32k

  - name: Microsoft-Windows-Windows Defender/Operational
    event_id: 1125, 1126, 5007
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Defender/WHC
    event_id: 1125, 1126, 5007
    ignore_older: 72h

  # windows defender: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Defender.xml
  - name: Microsoft-Windows-Windows Defender/Operational
    event_id: 1006-1009
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Defender/Operational
    event_id: 1116-1119
    ignore_older: 72h

  
  - name: Microsoft-Windows-BitLocker/BitLocker Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-BitLocker/BitLocker Management
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-DeviceGuard/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-DSC/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4105, 4106
    ignore_older: 72h

  - name: Microsoft-Windows-PowerShell/Admin
    ignore_older: 72h

  - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-Shell-Core/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-Shell-Core/LogonTasksChannel
    ignore_older: 72h

  - name: Microsoft-Windows-Shell-Core/AppDefaults
    ignore_older: 72h

  - name: Microsoft-Windows-Shell-Core/ActionCenter
    level: 'critical, error'
    ignore_older: 72h

  - name: PowerShellCore/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: OpenSSH/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: OpenSSH/Admin
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: HardwareEvents
    level: 'critical, error'
    ignore_older: 72h

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-WMI-Activity/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TPM-WMI
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Security-Mitigations/KernelMode
    level: 'critical, error'
    ignore_older: 72h


  - name: Microsoft-Windows-Security-Mitigations/UserMode
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-WHEA/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-WHEA/Errors
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-WDI/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-StoreMgr/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-ShimEngine/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-Power/Thermal-Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-PnP/Driver Watchdog
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-PnP/Configuration
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-LiveDump/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Kernel-IO/Operational
    level: 'critical, error'
    ignore_older: 72h


  - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    level: 'critical, error'
    ignore_older: 72h
    include_xml: true

  - name: Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
    level: 'critical, error'
    ignore_older: 72h
    include_xml: true

  - name: Windows Networking Vpn Plugin Platform/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-VPN/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-VPN-Client/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RasAgileVpn/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TCPIP/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-LiveId/Operational
    level: 'critical, error'
    ignore_older: 72h


  - name: Microsoft-Windows-ReFS/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-GroupPolicy/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-TaskScheduler/Operational
    event_id: 106, 129, 141, 142, 200, 201
    ignore_older: 72h
    provider:
      - Microsoft-Windows-TaskScheduler

  - name: Security
    event_id: 4698-4702
    ignore_older: 72h

  - name: Microsoft-Windows-TaskScheduler/Maintenance
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storsvc/Diagnostic
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Store/Operational
    level: 'critical'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 8002

  - name: Microsoft-Windows-StorageSpaces-SpaceManager/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-StorageSpaces-Driver/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-StorageSpaces-Driver/Diagnostic
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-StorageManagement/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storage-Tiering/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storage-Storport/Operational
    level: 'critical'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 549
        - equals.winlog.event_id: 534
        - equals.winlog.event_id: 523
        - equals.winlog.event_id: 500

  - name: Microsoft-Windows-Storage-Storport/Health
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storage-Storport/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storage-Disk/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Storage-Disk/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SMBServer/Security
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SMBServer/Operational
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 1024

  - name: Microsoft-Windows-SMBServer/Connectivity
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SMBServer/Audit
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SmbClient/Security
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 8464
        - equals.winlog.event_id: 31001

  - name: Microsoft-Windows-SMBClient/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SmbClient/Connectivity
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 30800
        - equals.winlog.event_id: 30803

  - name: Microsoft-Windows-SmbClient/Audit
    level: 'critical, error'
    ignore_older: 72h

  - name: Win Device Agent
    level: 'critical, error'
    ignore_older: 72h

  - name: ScriptLaunch
    level: 'critical, error'
    ignore_older: 72h

  - name: Operations Manager
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 4502
        - equals.winlog.event_id: 26002

  - name: OneApp_IGCC
    level: 'critical, error'
    ignore_older: 72h

  - name: Key Management Service
    level: 'critical, error'
    ignore_older: 72h

  - name: Internet Explorer
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-DNS-Client/Operational
    event_id: 3008
    ignore_older: 72h

  - name: DNS Server
    event_id: 150, 770
    ignore_older: 72h

  - name: Microsoft-Windows-DNSServer/Audit
    event_id: 541
    ignore_older: 72h

  - name: Microsoft-Windows-Dhcpv6-Client/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Dhcpv6-Client/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Dhcp-Client/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Dhcp-Client/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-AppLocker/Packaged app-Execution
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-AppLocker/Packaged app-Deployment
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-AppLocker/MSI and Script
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-AppLocker/EXE and DLL
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-CodeIntegrity/Operational
    level: 'critical'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 3033

  # Server only
  - name: Microsoft-Windows-Dhcp-Server/Operational
    level: 'critical, error'
    ignore_older: 72h

  # Microsoft Skype for Business Rooms System and Microsoft Teams Rooms System only
  - name: Skype Room System
    level: 'critical, error, warning'
    ignore_older: 72h

  # Hp Tooling
  - name: HPNotifications Application
    level: 'critical, error'
    ignore_older: 72h

  - name: HP Sure Start
    level: 'critical, error'
    ignore_older: 72h

  - name: HP Diagnostics
    level: 'critical, error'
    ignore_older: 72h

  - name: HP Analytics
    level: 'critical, error'
    ignore_older: 72h

  # Hyper-V only
  - name: Microsoft-Windows-Hyper-V-Hypervisor-Operational
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 41

  - name: Microsoft-Windows-Hyper-V-Hypervisor-Admin
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 41

  - name: Microsoft-Windows-Hyper-V-Worker-Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-Worker-Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-VmSwitch-Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-VID-Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-StorageVSP-Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-Compute-Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Hyper-V-Compute-Admin
    level: 'critical, error'
    ignore_older: 72h

  # Monitor USB Devices, this eventlog is not enabled by default
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    level: 'critical, error'
    event_id: 2003,2102
    ignore_older: 72h

  # Sysmon related, need some care soon. It IS VERY NOISY, we need a solic filter
  - name: Microsoft-Windows-Sysmon/Operational
    level: 'critical, error, warning, information'
    # Minimum, for now!
    event_id: 255, 16, 14, 6
    ignore_older: 72h

  # NTFS
  - name: Microsoft-Windows-Ntfs/WHC
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Ntfs/Operational
    level: 'critical, error'
    ignore_older: 72h

  # NTLM
  - name: Microsoft-Windows-NTLM/Operational
    level: 'critical, error'
    ignore_older: 72h


  - name: RemoteDesktopServices-RemoteFX-SessionLicensing-Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsp/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteDesktopServices-RemoteFX-Manager/Admin
    level: 'critical, error'
    ignore_older: 72h

  # General Remote Desktop and App related
  - name: Microsoft-Windows-Remotefs-Rdbss/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteApp and Desktop Connections/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteApp and Desktop Connections/Admin
    level: 'critical, error'
    ignore_older: 72h

  # RemoteAssistance
  - name: Microsoft-Windows-RemoteAssistance/Operational
    level: 'critical, error, warning'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteAssistance/Admin
    level: 'critical, error'
    ignore_older: 72h

  # RemoteAccess Management Client
  - name: Microsoft-Windows-RemoteAccess-MgmtClientPerf/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-RemoteAccess-MgmtClient/Operational
    level: 'critical, error'
    ignore_older: 72h


  # SettingSync OneDrive
  - name: Microsoft-Windows-SettingSync-OneDrive/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-SettingSync-OneDrive/Debug
    level: 'critical, error'
    ignore_older: 72h


  # TerminalServices
  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-Printers/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-Printers/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-PnPDevices/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-Gateway/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-TerminalServices-Gateway/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-CloudStore/Operational
    level: 'critical, error'
    ignore_older: 72h
    processors:
      - drop_event.when.or:
        # 1 is a very generic error, mostly onecoreuap\shell\cloudstore\store\cache\src\cloudcacheinitializer.cpp and it IS to noisy
        - equals.winlog.event_id: 1

  - name: Microsoft-Windows-CloudStore/Debug
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Client-Licensing-Platform/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-WebAuthN/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Winlogon/Operational
    level: 'critical, error'
    ignore_older: 72h

  #windows update: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Updates.xml
  - name: Microsoft-Windows-WindowsUpdateClient/Operational
    event_id: 19, 20, 24, 25, 31, 34, 35
    ignore_older: 72h
    level: error
    provider:
      - Microsoft-Windows-WindowsUpdateClient

  - name: Setup
    event_id: 1009
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-Servicing

  - name: Microsoft-Windows-User Profile Service/Operational
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-User Device Registration/Admin
    level: 'critical, error'
    ignore_older: 72h

  - name: Microsoft-Windows-Time-Service/Operational
    level: 'critical, error'
    ignore_older: 72h

  # external devices: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/External-Devices.xml
  - name: Microsoft-Windows-Kernel-PnP/Configuration
    event_id: 400, 410
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-Kernel-PnP

  - name: Security
    event_id: 6416
    ignore_older: 72h
  - name: Security
    event_id: 6419-6424
    ignore_older: 72h

  # firewall: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Firewall.xml
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    event_id: 2004, 2005, 2006, 2033
    ignore_older: 72h
    level: info, error
    provider:
      - Microsoft-Windows-Windows Firewall With Advanced Security

  - name: Security
    event_id: 4944-4954
    ignore_older: 72h

  - name: Security
    event_id: 4956-4958
    ignore_older: 72h

  - name: Security
    event_id: 5024, 5025, 5037
    ignore_older: 72h

  - name: Security
    event_id: 5027-5030
    ignore_older: 72h

  - name: Security
    event_id: 5032-5035
    ignore_older: 72h

  # gpo errors: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Group-Policy-Errors.xml
  - name: System
    event_id: 1085, 1125, 1127, 1129
    ignore_older: 72h
    level: error
    provider:
      - Microsoft-Windows-GroupPolicy

  - name: Security
    event_id: 6144, 6145
    ignore_older: 72h

  # kerberos: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml
  - name: Security
    event_id: 4768, 4769, 4770, 4771, 4772, 4773
    ignore_older: 72h

  # log deletion security: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-Security.xml
  - name: Security
    event_id: 1102
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-Eventlog

  # log deletion system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-System.xml
  - name: System
    event_id: 104
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-Eventlog

  # msi: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/MSI-Packages.xml
  - name: Application
    event_id: 1022, 1033
    ignore_older: 72h
    provider:
      - MsiInstaller

  - name: Setup
    event_id: 2, 0
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Servicing

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 903, 904
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 905, 906
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 907, 908
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Application-Experience

  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 800
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Application-Experience

  # office: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Microsoft-Office.xml
  - name: OAlerts
    ignore_older: 72h

  # ntml: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml
  - name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    ignore_older: 72h
    provider:
      - Microsoft-Windows-NTLM

  - name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    ignore_older: 72h
    provider:
      - Microsoft-Windows-NTLM

  - name: Microsoft-Windows-NTLM/Operational
    ignore_older: 72h
    provider:
      - Microsoft-Windows-NTLM

  # object manipulation: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Object-Manipulation.xml
  - name: Security
    event_id: 4715, 4817, 4656, 4658, 4660, 4663, 4670
    ignore_older: 72h

  # operating system: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Operating-System.xml
  - name: System
    event_id: 12, 13
    ignore_older: 72h
    provider:
      - Microsoft-Windows-Kernel-General

  - name: Security
    event_id: 4608
    ignore_older: 72h

  - name: System
    event_id: 1074
    ignore_older: 72h
    provider:
      - USER32

  - name: Security
    event_id: 4817, 4826
    ignore_older: 72h

  - name: System
    event_id: 16962, 16965, 16968, 16969
    ignore_older: 72h

  - name: Microsoft-Windows-SMBServer/Audit
    event_id: 3000
    ignore_older: 72h
    provider:
      - Microsoft-Windows-SMBServer

  - name: System
    event_id: 41, 1001, 6008, 4621
    ignore_older: 72h

  - name: Security
    event_id: 4610, 4611, 4614, 4622, 4697
    ignore_older: 72h

  - name: Security
    event_id: 4719, 4817, 4902, 4906, 4908, 4912, 4904, 4905
    ignore_older: 72h

  # print: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Print.xml
  - name: Microsoft-Windows-PrintService/Operational
    event_id: 307
    ignore_older: 72h
    level: info
    provider:
      - Microsoft-Windows-PrintService

  # privilege use: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Privilege-Use.xml
  - name: Security
    event_id: 4673, 4674, 4985
    ignore_older: 72h

  # process exec: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Process-Execution.xml
  #- name: Security
  #  event_id: 4688
  #  ignore_older: 72h
  - name: Security
    event_id: 4689
    ignore_older: 72h

  # registry: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Registry.xml
  # TODO: how to filter on eventdata operationtype?
  - name: Security
    event_id: 4657
    ignore_older: 72h

  # services: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml
  - name: System
    event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034
    ignore_older: 72h
    level: info, critical, error, warning
    provider:
      - Service Control Manager

  - name: System
    event_id: 7045, 7040
    ignore_older: 72h
    level: info, critical, error, warning
    provider:
      - Service Control Manager

  # shares: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml
  - name: Security
    event_id: 5140, 5142, 5144, 5145, 5168
    ignore_older: 72h

  - name: Microsoft-Windows-SMBClient/Operational
    event_id: 30622, 30624
    ignore_older: 72h

  # software restrictions: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Software-Restriction-Policies.xml
  - name: Application
    event_id: 865, 866, 867, 868, 882
    ignore_older: 72h
    provider:
      - Microsoft-Windows-SoftwareRestrictionPolicies

  - name: Security
    event_id: 4886, 4887, 4888
    ignore_older: 72h

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

# ====================== Elasticsearch template settings =======================

setup.template.settings:
  index.number_of_shards: 1

tags: ["windows_workstation"]

setup.dashboards.enabled: false
setup.kibana:
  host: "{{kibana_host}}"
  username: elastic
  password: "${ES_PWD}"
  protocol: "{{protocol}}"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "{CA_FINGERPRINT}"
    verification_mode: none

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["{{elasticsearch_host}}"]
  protocol: "{{protocol}}"
  username: "{{ elasticsearch_user }}"
  password: "${ES_PWD}"
  pipeline: "winlogbeat-%{[agent.version]}-routing"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "{CA_FINGERPRINT}"
    verification_mode: none

# ================================= Processors =================================
# General processors
processors:
  # - add_host_metadata: ~
  # - add_cloud_metadata: ~
  # - add_docker_metadata: ~
  - add_process_metadata:
      match_pids: ["system.process.ppid"]
      target: system.process.parent

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug

logging.level: info
logging.to_files: true
logging.files:
  path: c:\ProgramData\winlogbeat\logs
  name: winlogbeat
  keepfiles: 7
  permissions: "0640"

leandrojmp · June 28, 2023, 4:30pm

On your winlogbeat.yml you have the Application name (and also others like Security and System) multiple times.

Example:

dwissm1:

winlogbeat.event_logs:
  - name: Application
    event_id: 1000, 1002
    ignore_older: 72h
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    event_id: 1001
    ignore_older: 72h
    level: info
    provider:
      - Windows Error Reporting

I'm not sure that this is possible.

dwissm1 · June 28, 2023, 4:38pm

Thanks for the reply... unless something changes in 8.7... Ive been using that config for about 3 years without issues. The issue arose between 8.6.2 and 8.7.0.
Config Comes from here:

github.com

jhochwald/Universal-Winlogbeat-configuration/blob/main/assets/winlogbeat.yml

# Define the output (we use Logstash for Graylog)
output.logstash:
  hosts:
    - "XXX.XXX.XXX.XXX:XXXX"

# Cleanup
path: null

# The amount of time to wait for all events to be published when shutting down.
winlogbeat.shutdown_timeout: 30s

# A list of entries (called dictionaries in YAML) that specify which event logs to monitor.
winlogbeat.event_logs:
  # Application Crashes: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Application-Crashes.xml
  - name: Application
    event_id: 1000, 1002
    ignore_older: 24h
    level: error
    provider:
      - Application Error

This file has been truncated. show original

leandrojmp · June 28, 2023, 4:49pm

Yeah, I was looking into the release notes from 8.6.2 until 8.8.1 and didn't find anything related to it.

Not sure if this is really the issue, need to wait someone from Elastic that can confirm

willemdh · July 1, 2023, 8:54pm

On what operating system are the winlogbeat's generating the fatal errors running? Just asking because I think I read somewhere support for 2008 / XP and some older os'es has stopped some time ago.

dwissm1 · July 1, 2023, 10:51pm

Windows 10. Fully patched.

mellanvidia · July 5, 2023, 8:32pm

Same issue here. Followed, used, and generated Winlogbeat config via GitHub - ElasticSA/wec_pepped: Pep up your Windows Event Collector (WEC) for Windows Event Forwarding (WEF). Followed the WEC Server Cookbook guide. Winlogbeat is installed on Windows Server 2022.

Been working for the past 2 years (before Winlogbeat version 8.7). I even tried commenting out multiple "Application" sections, and now the error is "panic: name System already used".

Winlogbeat config:

###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

# ======================== Winlogbeat specific options =========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name, id, xml_query, tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml.
# The xml_query key requires an id and must not be used with the name,
# ignore_older, level, event_id, or provider keys. Please visit the
# documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:

  # WEC server
  # Application Crashes:
  #- name: Application
  #  event_id: 1000, 1002
  #  ignore_older: 24h
  #  level: error
  #  provider:
  #    - Application Error
  #    - Application Hang
  #- name: Application
  #  event_id: 1001
  #  ignore_older: 24h
  #  level: info
  #  provider:
  #    - Windows Error Reporting

  # event log diagnostics: 
  - name: System
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Eventlog
  - name: Security
    ignore_older: 24h
    event_id: 1100, 1104, 1105, 1108

  - name: System
    level: 'critical, error'
    ignore_older: 24h
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 7000
        - equals.winlog.event_id: 7001
        - equals.winlog.event_id: 10016
        - equals.winlog.event_id: 24629
        - equals.winlog.event_id: 10010
        - equals.winlog.event_id: 11060
        - equals.winlog.event_id: 41
        - equals.winlog.event_id: 124
        - equals.winlog.event_id: 34

  - name: Security

  # explicit credentials: 
  - name: Security
    level: info
    ignore_older: 24h
    provider:
      - Microsoft-Windows-Security-Auditing

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    event_id: 33, 65, 66, 102, 103

  # Subscriptions
  - name: WecFwdLog-Domain-Misc/Script
    tags: [WEC, WEF, Script, Misc]
  
  - name: WecFwdLog-Domain-Misc/Security
    tags: [WEC, WEF, Security, Misc]
  
  - name: WecFwdLog-Domain-Misc/Sysmon
    tags: [WEC, WEF, Sysmon, Misc]
  
  - name: WecFwdLog-Domain-Misc/Service
    tags: [WEC, WEF, Service, Misc]
  
  #- name: WecFwdLog-Domain-Misc/Application
  #  tags: [WEC, WEF, Application, Misc]
  
  - name: WecFwdLog-Domain-Misc/Misc
    tags: [WEC, WEF, Misc, Misc]
  
  - name: WecFwdLog-Domain-Misc/System
    tags: [WEC, WEF, System, Misc]
  
  - name: WecFwdLog-Domain-Privileged/Script
    tags: [WEC, WEF, Script, Privileged]
  
  - name: WecFwdLog-Domain-Privileged/Security
    tags: [WEC, WEF, Security, Privileged]
  
  - name: WecFwdLog-Domain-Privileged/Sysmon
    tags: [WEC, WEF, Sysmon, Privileged]
  
  - name: WecFwdLog-Domain-Privileged/Service
    tags: [WEC, WEF, Service, Privileged]
  
  #- name: WecFwdLog-Domain-Privileged/Application
  #  tags: [WEC, WEF, Application, Privileged]
  
  - name: WecFwdLog-Domain-Privileged/Misc
    tags: [WEC, WEF, Misc, Privileged]
  
  - name: WecFwdLog-Domain-Privileged/System
    tags: [WEC, WEF, System, Privileged]
  
  - name: WecFwdLog-Domain-Clients/Script
    tags: [WEC, WEF, Script, Clients]
  
  - name: WecFwdLog-Domain-Clients/Security
    tags: [WEC, WEF, Security, Clients]
  
  - name: WecFwdLog-Domain-Clients/Sysmon
    tags: [WEC, WEF, Sysmon, Clients]
  
  - name: WecFwdLog-Domain-Clients/Service
    tags: [WEC, WEF, Service, Clients]
  
  #- name: WecFwdLog-Domain-Clients/Application
  #  tags: [WEC, WEF, Application, Clients]
  
  - name: WecFwdLog-Domain-Clients/Misc
    tags: [WEC, WEF, Misc, Clients]
  
  - name: WecFwdLog-Domain-Clients/System
    tags: [WEC, WEF, System, Clients]
  
  - name: WecFwdLog-Domain-Members/Script
    tags: [WEC, WEF, Script, Members]
  
  - name: WecFwdLog-Domain-Members/Security
    tags: [WEC, WEF, Security, Members]
  
  - name: WecFwdLog-Domain-Members/Sysmon
    tags: [WEC, WEF, Sysmon, Members]
  
  - name: WecFwdLog-Domain-Members/Service
    tags: [WEC, WEF, Service, Members]
  
  #- name: WecFwdLog-Domain-Members/Application
  #  tags: [WEC, WEF, Application, Members]
  
  - name: WecFwdLog-Domain-Members/Misc
    tags: [WEC, WEF, Misc, Members]
  
  - name: WecFwdLog-Domain-Members/System
    tags: [WEC, WEF, System, Members]
  
  - name: WecFwdLog-Domain-Servers/Script
    tags: [WEC, WEF, Script, Servers]
  
  - name: WecFwdLog-Domain-Servers/Security
    tags: [WEC, WEF, Security, Servers]
  
  - name: WecFwdLog-Domain-Servers/Sysmon
    tags: [WEC, WEF, Sysmon, Servers]
  
  - name: WecFwdLog-Domain-Servers/Service
    tags: [WEC, WEF, Service, Servers]
  
  #- name: WecFwdLog-Domain-Servers/Application
  #  tags: [WEC, WEF, Application, Servers]
  
  - name: WecFwdLog-Domain-Servers/Misc
    tags: [WEC, WEF, Misc, Servers]
  
  - name: WecFwdLog-Domain-Servers/System
    tags: [WEC, WEF, System, Servers]
  
  - name: WecFwdLog-Domain-Controllers/Script
    tags: [WEC, WEF, Script, Controllers]
  
  - name: WecFwdLog-Domain-Controllers/Security
    tags: [WEC, WEF, Security, Controllers]
  
  - name: WecFwdLog-Domain-Controllers/Sysmon
    tags: [WEC, WEF, Sysmon, Controllers]
  
  - name: WecFwdLog-Domain-Controllers/Service
    tags: [WEC, WEF, Service, Controllers]
  
  #- name: WecFwdLog-Domain-Controllers/Application
  #  tags: [WEC, WEF, Application, Controllers]
  
  - name: WecFwdLog-Domain-Controllers/Misc
    tags: [WEC, WEF, Misc, Controllers]
  
  - name: WecFwdLog-Domain-Controllers/System
    tags: [WEC, WEF, System, Controllers]

# ====================== Elasticsearch template settings =======================

setup.template.settings:
  index.number_of_shards: 1
  index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://siem.:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

  # SSL
  ssl.enabled: true
  ssl.certificate_authorities:
    - C:\ProgramData\Elastic\Beats\winlogbeat\certs\-rootca.crt
    - C:\ProgramData\Elastic\Beats\winlogbeat\certs\-subca.crt
    - C:\ProgramData\Elastic\Beats\winlogbeat\certs\ca.crt
  # ssl.certificate: "/etc/client/cert.pem"
  # ssl.key: "/etc/client/cert.key

# =============================== Elastic Cloud ================================

# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://es1.:9200", "https://es2.:9200", "https://es3.:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # SSL settings
  ssl.certificate_authorities: 'C:\ProgramData\Elastic\Beats\winlogbeat\certs\-rootca.crt'
  ssl.certificate: 'C:\ProgramData\Elastic\Beats\winlogbeat\certs\tls.crt'
  ssl.key: 'C:\ProgramData\Elastic\Beats\winlogbeat\certs\tls.key'

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: ""

  # Pipeline to route events to security, sysmon, or powershell pipelines.
  pipeline: "winlogbeat-%{[agent.version]}-routing"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: WEF
  - add_cloud_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the winlogbeat.
#instrumentation:
    # Set to true to enable instrumentation of winlogbeat.
    #enabled: false

    # Environment in which winlogbeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

dwissm1 · July 6, 2023, 6:20pm

@andrewkroh any chance you were able to find the issue? Looks like someone else is hitting the same issue.

andrewkroh · July 6, 2023, 7:10pm

dwissm1:

winlogbeat.event_logs:
  - name: Application
    event_id: 1000, 1002
    ignore_older: 72h
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    event_id: 1001
    ignore_older: 72h
    level: info
    provider:
      - Windows Error Reporting

If you run two separate readers on the same channel (e.g. Application) you should set an explicit id value such that each reader can independently store a bookmark/checkpoint into the registry. By default the name value is used in the registry. So with this config both readers are clobbering each other's state. After a restart the readers may not begin at the correct starting point because of this.

The docs for id are at Configure Winlogbeat | Winlogbeat Reference [8.11] | Elastic.

So change it like this:

  - name: Application
    id: application-error-hang # <-- Set a unique ID here.
    event_id: 1000, 1002
    ignore_older: 72h
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    id: application-wer # <-- Set a unique ID here.
    event_id: 1001
    ignore_older: 72h
    level: info
    provider:
      - Windows Error Reporting

The panic was not intentionally added to enforce this best practice. It was an unintended side-effect of instrumenting each event log reader with its own metrics that you can view if you add this to your config. The unique ID is used to associate each reader instance to its metrics.

# Exposes metrics at http://127.0.0.1:5066/inputs/?pretty
http.host: 127.0.0.1
http.port: 5066

mellanvidia · July 6, 2023, 10:19pm

Adding id for similar Channel entries worked for me. Thank you!

dwissm1 · July 7, 2023, 12:33am

@andrewkroh fixed it for me also. THANK YOU A TON.

system · August 4, 2023, 2:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.