Hi,
we have a lot of Windows Systems which are forwarding all their events to a central window system. From their I want to move the messages to logstash by using WinLogBeat.
It works fine for all "Windows OS" Events, but when it forwards events from Applications like Citrix, I receive as message only:
message_error The system cannot find the file specified.
instead of the real message.,
In the queue of the forwarded events, the message still looks fine.
Any idea?
Thank you
What operating systems are involved here? What version of Winlogbeat?
Please report what format you are using for your forwarded events (event vs rendered event). See the comment here. https://github.com/elastic/beats/issues/1031#issuecomment-196491503
If you haven't already tried Winlogbeat v5, could you run a test with it and see if you get the same behavior. There were some changes to how the events are read.
Hi,
we have > 2000 Win2008 and Win2012 which are forwarding their events to a central win2012 system.
looking at the "forwarded events" of the central system, all messages have content, so I assume the rendered event is forwarded. It seems winlogbeat try to render again, which will fail for most of the application events, because no application is installed on the central log forwarder. Is there a way to change this?
will try winlogbeat 5 next week.
Hi,
I installed winlogbeat 5 alpha, it transfers some messages and then crashes...
Do you have a logs or a stack trace? The logs are probably in C:\ProgramData\winlogbeat\logs\ unless you changed some config.
2016-04-26T08:57:31+02:00 DBG EventLog[Security] Read() returned 0 records
2016-04-26T08:57:31+02:00 DBG WinEventLog[ForwardedEvents] EventHandles returned 7 handles
2016-04-26T08:57:31+02:00 DBG WinEventLog[ForwardedEvents] Read() is returning 7 records
2016-04-26T08:57:31+02:00 DBG EventLog[ForwardedEvents] Read() returned 7 records
2016-04-26T08:57:31+02:00 DBG Publish: {
"@timestamp": "2016-04-26T06:57:00.000Z",
"beat": {
"hostname": "xxxxx",
"name": "xxxxxx"
},
"computer_name": "xxxxxx",
"count": 1,
"event_id": 1,
"level": "",
"log_name": "Application",
"message_error": "The system cannot find the file specified.",
"record_number": "136754",
"source_name": "DirXML Remote Loader",
"type": "wineventlog"
}
2016-04-26T08:57:31+02:00 DBG Publish: {
"@timestamp": "2016-04-26T06:57:15.000Z",
"beat": {
"hostname": "xxxxx",
"name": "xxxxx"
},
"computer_name": "xxxxxx",
"count": 1,
"event_id": 1,
"level": "",
"log_name": "Application",
"message_error": "The system cannot find the file specified.",
"record_number": "136755",
"source_name": "DirXML Remote Loader",
"type": "wineventlog"
}......
Hi Andrew,
some greeting from Monica Sarbu, I met her at the OSDC 2016 in Berlin and ask her if she can support me and she told me there is one Expert for WinLogBeat and thats you! ;.-)
btw: Do you need more information from me regarding this issue?
and in addition a question, yesterday I lost a log of logs from the linux world, just because the first event which where generated yesterday was a windows event log which included a field user defined as a array consist of username and domain. In my syslog events there is also a field user extracted, this field is a plain string...
and elasticsearch doesn't want to save my linux logs anymore.
do you have a Idea how to avoid this in the future.
THANK YOU
Hi @Markus_Korn,
Can you use the Wecutil.exe tool to dump your subscription configuration to XML and paste the XML here.
Please start another thread for your other question since it's unrelated (it helps future people that try to solve the same problems). Describe your setup and config for that issue.
Sorry for the long delay. I finally setup a test environment for this. I used two Windows 2012R2 servers and Winlogbeat 5.0-alpha2. In my testing I found that both message and message_error are being reporting in events when the source application is not installed on the event collector.
The reason is because Winlogbeat attempts to render the event using message files from the local computer and Windows returns an error whose message is "The system cannot find the file specified." Then in an error recovery attempt, it tries to render the event without the message string since it thinks the message file is missing. However during the recovery attempt it is able to fully render the event with its message.
When Winlogbeat recovers from the rendering error it reports both the event and the original error that caused the problem. This normally makes sense because the actual message field is still missing. But in this case it doesn't because the full event with message was rendered by Windows.
I'll work on addressing this problem of having both message and message_error.
{
"@timestamp": "2016-05-19T19:06:19.000Z",
"beat": {
"hostname": "WIN-0660TQ4U6V4",
"name": "winlogbeat-001"
},
"computer_name": "wrks-001.elastic.co",
"event_data": {
"param1": "in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839"
},
"event_id": 512,
"keywords": [
"Classic"
],
"level": "Information",
"log_name": "Application",
"message": "in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839",
"message_error": "The system cannot find the file specified.",
"opcode": "Info",
"record_number": "7609",
"source_name": "DummyCustomApp",
"tags": [
"ec2"
],
"type": "wineventlog",
"xml": "<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="DummyCustomApp"/>
<EventID Qualifiers="0">512</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-05-19T19:06:19.000000000Z"/>
<EventRecordID>7609</EventRecordID>
<Channel>Application</Channel>
<Computer>wrks-001.elastic.co</Computer>
<Security/>
</System>
<EventData>
<Data>in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839</Message>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>"
}
(The XML is included because I configured Winlogbeat to include the raw XML received from Windows for debugging purposes using the include_xml: true setting.)
Great Job!
THANK YOU
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.