Winlogbeat not sending larger event message


(jyothi) #1

Receiving the below error message

The data area passed to a system call is too small. is received in kibana in message_error field.
Any suggestions are apprecited.

Is there any setting at winlogbeat to increase the max size?


(Andrew Kroh) #2

What version are you using? What operating system? I believe this is fixed in 5.0.0-alpha1 for Windows Vista and newer.


(jyothi) #3

I am running this on server. It is Windows 2012 R2 standard. Winlogbeat version is 1.1.2. I configured winlogbeat to output to logstash


(Andrew Kroh) #4

The buffer size in not configurable.

Are you able to try v5? It should fix your problem. The v5 download is at the bottom of the page: https://www.elastic.co/downloads/beats/winlogbeat

Instead of adding the insufficient buffer error to message_error it grows the buffer and retries rendering the message. https://github.com/elastic/beats/blob/master/winlogbeat/eventlog/wineventlog.go#L135


(jyothi) #5

Thankyou very much. I tried v5 aplha version of winlogbeat and this does not show up the error. Do I need to go with v5 alpha or even a previous version also had the fix. Coz I need to use this in production


(Andrew Kroh) #6

The change that fixed the problem was part of a larger refactoring to provide the EventData fields. It was implemented for v5. So unfortunately all of the 1.x versions still will have the issue you encountered. You can open an issue for Winlogbeat 1.x in the repo if needed.


(system) #7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.