Winlogbeat output to Graylog

Hi All,

I have an issue. My winlogbeat sends duplicate and even in one event I found x150 same messages in graylog where in windows event logs there is only 1 message.

Winlogbeat: 5.5.2
Graylog: 2.3.0
Elasticsearch: 5.5.2

name: ForwardedEvents
batch_read_size: 512

output.logstash: # used by Graylog
hosts: [“GraylogIP:5044”]
ssl.enabled: true
ssl.verification_mode: none
compression_level: 3
bulk_max_size: 512

There can be 100x events with the same “winlogbeat_record_number” however different graylog message code. All those 100x messages are identical. Anyone is facing the same issue?

No idea about Graylog. But winlogbeat resends events on failure (missing ACK). Checks logs and metrics in logs about send failures.

I have these messages from time to time (every 30 seconds):

2017-10-24T00:15:32+03:00 INFO Non-zero metrics in the last 30s:

I cannot find what that means "non-zero metrics". From what I see, all correct here.

Do the duplicates only occur after restarting Winlogbeat?

If so you are seeing which we plan on making some changes in a 6.x minor release to fix. But as long as you aren't restarting often the problem is minimal, and if you using a Logstash fingerprint filter you can completely work around the issue.

This is no error message. The message is printed every 30 seconds, printing out only metrics that have changed since the last 30 seconds.

The published_and_acked_events metric indicates events have been successfully published. No retries or fails it seems.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.