Winlogbeat not filtering event more than 21 sources

unable to get alert on kafka if we mention more than 21 event source in winlogbeat yml file .


It's documented in the official documentation :

Lol, I also stumbled on this one today. Imho, this should be handled by winlogbeat in the background? Also, the url to the kb in doesn't work.

Hi mazoutte,

Thank you for your replay , I have referred given link but it is not working , winlogbeat filtering alert till if we mention 21 sources under providers, but after 21 sources we are not getting any output on kafka.


Please post your configuration of Winlogbeat to check.

Regarding the documentation, what did you try when you say its not working ?

Copy/Paste of the documentation :

If you specify more that 22 event IDs to include or 22 event IDs to exclude, Windows will prevent Winlogbeat from reading the event log because it limits the number of conditions that can be used in an event log query. If this occurs a similar warning as shown below will be logged by Winlogbeat, and it will continue processing data from other event logs. For more information, see

WARN EventLog[Application] Open() error. No events will be read from this
source. The specified query is invalid.

If you have more than 22 event IDs, you can workaround this Windows limitation by using a drop_event[drop-event] processor to do the filtering after Winlogbeat has received the events from Windows. The filter shown below is equivalent to event_id: 903, 1024, 4624 but can be expanded beyond 22 event IDs.

  - name: Security
      - drop_event.when.not.or:
        - equals.winlog.event_id: 903
        - equals.winlog.event_id: 1024
        - equals.winlog.event_id: 4624

please find configuration below. where I have 50 source and 50 event ID. configuration file is working if i mention 21 sources ..but if I add more source than 21 not getting any alert.


  • name: Application
    Leval: error, info, warning, critical,
    ignore_older: 72h


    • source1
    • source2
    • source21


    • drop_event.when.not.or:
      • equals.winlog.event_id: 1
      • equals.winlog.event_id: 2
      • equals.winlog.event_id: 3
      • equals.winlog.event_id: 4
      • equals.winlog.event_id: 50

may be am missing something ..please suggest

Please use the correct format for pasting the config.

Use the same logic as for Event_ids ....
So remove the provider section, and use the drop section to filter unwanted provider or keep the ones you want.

  - name: Security
      - drop_event.when.not.or:
        - equals.winlog.provider_name: source1
        - equals.winlog.provider_name: source2

Hi mazoutte

Thank you so much is working.

Please help with filtering alerts with specific message in event. like "system overheating "

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.