If you run two separate readers on the same channel (e.g. Application) you should set an explicit id value such that each reader can independently store a bookmark/checkpoint into the registry. By default the name value is used in the registry. So with this config both readers are clobbering each other's state. After a restart the readers may not begin at the correct starting point because of this.
The docs for id are at Configure Winlogbeat | Winlogbeat Reference [8.11] | Elastic.
So change it like this:
- name: Application
id: application-error-hang # <-- Set a unique ID here.
event_id: 1000, 1002
ignore_older: 72h
level: error
provider:
- Application Error
- Application Hang
- name: Application
id: application-wer # <-- Set a unique ID here.
event_id: 1001
ignore_older: 72h
level: info
provider:
- Windows Error Reporting
The panic was not intentionally added to enforce this best practice. It was an unintended side-effect of instrumenting each event log reader with its own metrics that you can view if you add this to your config. The unique ID is used to associate each reader instance to its metrics.
# Exposes metrics at http://127.0.0.1:5066/inputs/?pretty
http.host: 127.0.0.1
http.port: 5066