Sorry for the long delay. I finally setup a test environment for this. I used two Windows 2012R2 servers and Winlogbeat 5.0-alpha2. In my testing I found that both message and message_error are being reporting in events when the source application is not installed on the event collector.
The reason is because Winlogbeat attempts to render the event using message files from the local computer and Windows returns an error whose message is "The system cannot find the file specified." Then in an error recovery attempt, it tries to render the event without the message string since it thinks the message file is missing. However during the recovery attempt it is able to fully render the event with its message.
When Winlogbeat recovers from the rendering error it reports both the event and the original error that caused the problem. This normally makes sense because the actual message field is still missing. But in this case it doesn't because the full event with message was rendered by Windows.
I'll work on addressing this problem of having both message and message_error.
{
"@timestamp": "2016-05-19T19:06:19.000Z",
"beat": {
"hostname": "WIN-0660TQ4U6V4",
"name": "winlogbeat-001"
},
"computer_name": "wrks-001.elastic.co",
"event_data": {
"param1": "in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839"
},
"event_id": 512,
"keywords": [
"Classic"
],
"level": "Information",
"log_name": "Application",
"message": "in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839",
"message_error": "The system cannot find the file specified.",
"opcode": "Info",
"record_number": "7609",
"source_name": "DummyCustomApp",
"tags": [
"ec2"
],
"type": "wineventlog",
"xml": "<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="DummyCustomApp"/>
<EventID Qualifiers="0">512</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-05-19T19:06:19.000000000Z"/>
<EventRecordID>7609</EventRecordID>
<Channel>Application</Channel>
<Computer>wrks-001.elastic.co</Computer>
<Security/>
</System>
<EventData>
<Data>in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>in24.inetnebr.com - - [01/Aug/1995:00:00:01 -0400] \"GET /shuttle/missions/sts-68/news/sts-68-mcc-05.txt HTTP/1.0\" 200 1839</Message>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>"
}
(The XML is included because I configured Winlogbeat to include the raw XML received from Windows for debugging purposes using the include_xml: true setting.)