Winlogbeat stopping due to Exception

risshukla · September 26, 2023, 1:22am

We've been using Winlogbeat to forward Workstation logs to Logstash. However, we've encountered an issue after installing Winlogbeat (versions 8.10.2) on our Windows Server 2022.

The issue is as follows:

Exception 0xc0000005 0x1 0x0 0x7ff99d65e254
PC=0x7ff99d65e254

runtime.cgocall(0x290120, 0xc0001006c0)
	runtime/cgocall.go:157 +0x4a fp=0xc00034ac00 sp=0xc00034abc8 pc=0x224d4a
syscall.SyscallN(0xc0000caa80?, {0xc00034ac98?, 0xc00034acf0?, 0xc0003dfa40?})
	runtime/syscall_windows.go:557 +0x109 fp=0xc00034ac78 sp=0xc00034ac00 pc=0x28b0c9
syscall.Syscall9(0x29c7be?, 0xc0001bd340?, 0xc0003f62d0?, 0x23?, 0x0?, 0x0?, 0xc0003f2510?, 0x1?, 0x1?, 0x0, ...)
	runtime/syscall_windows.go:507 +0x78 fp=0xc00034acf0 sp=0xc00034ac78 pc=0x28add8
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog._EvtFormatMessage(0x23?, 0x3600700?, 0x0, 0x0, 0xc000d5e978?, 0x1, 0x0, 0x0?, 0x0?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/zsyscall_windows.go:132 +0xf2 fp=0xc00034ad98 sp=0xc00034acf0 pc=0x177f152
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.evtFormatMessage(0xc0003f62d0?, 0x23?, 0x0?, {0x0?, 0x0, 0x1?}, 0x1?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:81 +0xa5 fp=0xc00034ae88 sp=0xc00034ad98 pc=0x176f645
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageString(0xc0003dfa40?, 0x4000?, 0x4000?, {0x0?, 0xc00034af08?, 0x3?})
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:57 +0x45 fp=0xc00034aed0 sp=0xc00034ae88 pc=0x176f4e5
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageStringFromHandle(...)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:33
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.Message(0x4000?, {0xc0005e8000?, 0x36006e0?, 0xc0005623a0?}, 0xc00034afc8)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/wineventlog_windows.go:274 +0x12c fp=0xc00034afa0 sp=0xc00034aed0 pc=0x177d5cc
github.com/elastic/beats/v7/winlogbeat/eventlog.newWinEventLog.func5(0xc0003a6000?)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:289 +0x55 fp=0xc00034afe8 sp=0xc00034afa0 pc=0x2538735
github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Read(0xc0003a6000)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:474 +0x81a fp=0xc00034b658 sp=0xc00034afe8 pc=0x253a1fa
github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run(0xc0006469c0, 0xc0004dade0, {0x361dff8?, 0xc000128500}, {{0xc00041ac60, 0xb}, 0xa49c728, {0xb23705c, 0xedc963e90, 0x0}, ...}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/eventlogger.go:177 +0x10de fp=0xc00034bed8 sp=0xc00034b658 pc=0x25414de
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).processEventLog(0xc000277500?, 0x0?, 0x0?, {{0xc00041ac60, 0xb}, 0xa49c728, {0xb23705c, 0xedc963e90, 0x0}, {0xc0000565b0, ...}}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:215 +0xb3 fp=0xc00034bf70 sp=0xc00034bed8 pc=0x2543bb3
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run.func3()
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:183 +0x55 fp=0xc00034bfe0 sp=0xc00034bf70 pc=0x2543935
runtime.goexit()
	runtime/asm_amd64.s:1598 +0x1 fp=0xc00034bfe8 sp=0xc00034bfe0 pc=0x28e781
created by github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:183 +0x3da

Could someone please assist us in identifying and resolving this problem?

Regards
Rishabh

system · October 24, 2023, 3:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.