Winlogbeat not filtering event more than 21 sources

kumarbn · June 19, 2020, 6:55am

unable to get alert on kafka if we mention more than 21 event source in winlogbeat yml file .

mazoutte · June 19, 2020, 10:57am

HELLO

It's documented in the official documentation :
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html

willemdh · June 19, 2020, 3:17pm

Lol, I also stumbled on this one today. Imho, this should be handled by winlogbeat in the background? Also, the url to the kb in https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html doesn't work.
Grtz

kumarbn · June 22, 2020, 4:40am

Hi mazoutte,

Thank you for your replay , I have referred given link but it is not working , winlogbeat filtering alert till if we mention 21 sources under providers, but after 21 sources we are not getting any output on kafka.

mazoutte · June 22, 2020, 8:29am

Hello,

Please post your configuration of Winlogbeat to check.

Regarding the documentation, what did you try when you say its not working ?

Copy/Paste of the documentation :

If you specify more that 22 event IDs to include or 22 event IDs to exclude, Windows will prevent Winlogbeat from reading the event log because it limits the number of conditions that can be used in an event log query. If this occurs a similar warning as shown below will be logged by Winlogbeat, and it will continue processing data from other event logs. For more information, see https://support.microsoft.com/en-us/kb/970453.

WARN EventLog[Application] Open() error. No events will be read from this
source. The specified query is invalid.

If you have more than 22 event IDs, you can workaround this Windows limitation by using a drop_event[drop-event] processor to do the filtering after Winlogbeat has received the events from Windows. The filter shown below is equivalent to event_id: 903, 1024, 4624 but can be expanded beyond 22 event IDs.

winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 903
        - equals.winlog.event_id: 1024
        - equals.winlog.event_id: 4624

kumarbn · June 22, 2020, 8:59am

please find configuration below. where I have 50 source and 50 event ID. configuration file is working if i mention 21 sources ..but if I add more source than 21 not getting any alert.

winlogbeat.event_logs:

name: Application
Leval: error, info, warning, critical,
ignore_older: 72h

provider:
- source1
- source2
- source21
processors:
- drop_event.when.not.or:
  - equals.winlog.event_id: 1
  - equals.winlog.event_id: 2
  - equals.winlog.event_id: 3
  - equals.winlog.event_id: 4
  - equals.winlog.event_id: 50

may be am missing something ..please suggest

mazoutte · June 22, 2020, 9:37am

Please use the correct format for pasting the config.

Use the same logic as for Event_ids ....
So remove the provider section, and use the drop section to filter unwanted provider or keep the ones you want.

winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.provider_name: source1
        - equals.winlog.provider_name: source2

kumarbn · June 22, 2020, 12:00pm

Hi mazoutte

Thank you so much ..it is working.

Please help with filtering alerts with specific message in event. like "system overheating "

system · July 20, 2020, 2:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.