Winlogbeat Services v. Command Line Implementation

Elastic Stack Beats
1

Hi all,

I'm sending windows logs via winlogbeat (v.7.13.2) to a logstash instance (v.7.13.0), which processes the logs and sends them to an ES index "winlogs" (v.7.13.0). I've set up the pipeline (no logstash filter yet implemented) following the quick start manual and since I'm sending logs to logstash I've manually inserted the template using the alternate method listed here.

I've noticed that the service doesn't send logs to Logstash -> ES the same way as a command line call "./winlogbeat.exe -e". Via the command line call, thousands of docs land in the index, whereas the service results in only a few dozen.

Can someone explain to me the difference? I was expecting the same behavior (all logs up to an ignore_older variable) from both the Command Line and Service implementation. Can one setup the service to run the same as the command line?

Here my configurations:

winlogbeat.yml

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
    ignore_older: 72h
  - name: Security
    ignore_older: 72h
    
output.logstash:
  hosts: ["127.0.0.1:5044"]
  
setup.template.enabled: false
setup.template.overwrite: false
setup.ilm.enabled: false

logstash beats config

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "winlogs"
  }
}
2

I noticed that winlogbeat sometimes puts the .winlogbeat.yml (it's registry of sent events) in it's "${path.data}" and sometimes it's "${path}". I suspect the both runs send the last 72's hours of data. Look at the service properties, it specifies -path.data and I suspect it's not the same as the default that is used when you run from the command line.

Why? I blame all Windows problems on the platform :slight_smile:

3

You were 100% correct. Thanks for the tip! That is strange behavior, but definitely not the first time that I've seen something like that happen. I'll pay closer attention to the services parameters as I move forward, but the number of records is now the same as the number I get when I sort my logs. :ok_hand:

Thanks a log! :grin:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.