Winlogbeat reports wrong event_id on Windows Server 2003


#1

Hi everyone,

I run winlogbeat 1.1 on windows server 2003 sp2 32bit OS, and configure winlogbeat.yml as follows:

  event_logs:
    - name: Application
      ignore_older: 3h 
    - name: Security
      ignore_older: 3h 
    - name: System
      ignore_older: 3h 

output:
  file:
    path: "c:"
    filename: winlogbeat

but the result has a wrong field, the correct event_id is 3019, but it generates: "event_id": 2147486667.

I'm not sure is that a bug for winlogbeat, anyone encountered the same issue? And how can get the correct event_id? thank you so much.

{"@timestamp":"2016-03-21T10:40:48.000Z","beat":{"hostname":"SERVER01","name":"SERVER01"},"category":"0","computer_name":"SERVER01","count":1,"event_id":2147486667,"level":"Warning","log_name":"System","message":"The redirector failed to determine the connection type.","record_number":"114274","source_name":"MRxSmb","type":"eventlogging"}

{"@timestamp":"2016-03-21T10:43:15.000Z","beat":{"hostname":"SERVER01","name":"SERVER01"},"category":"0","computer_name":"SERVER01","count":1,"event_id":2147486667,"level":"Warning","log_name":"System","message":"The redirector failed to determine the connection type.","record_number":"114275","source_name":"MRxSmb","type":"eventlogging"}

(Andrew Kroh) #2

This issue has been fixed in the master branch, but not released yet. If you download the development build of v5 this should be fixed.

This issue was caused by the fact that the event ID is reported as unsigned 32-bit integer in pre-Vista Windows versions, but the upper 16-bits are not part of the event ID so they need to be masked from the value. This is the change that fixed the problem.


#3

Great! thank you so much , the wrong "event_id" value has been fixed in the development version,I got the expected result. also hope the new version will come out soon.:grin:


(Andrew Kroh) #4