Winlogbeat stopping due to Exception

Elastic Stack Beats
1

We've been using Winlogbeat to forward Workstation logs to Logstash. However, we've encountered an issue after installing Winlogbeat (versions 8.10.2) on our Windows Server 2022.

The issue is as follows:

Exception 0xc0000005 0x1 0x0 0x7ff99d65e254
PC=0x7ff99d65e254

runtime.cgocall(0x290120, 0xc0001006c0)
	runtime/cgocall.go:157 +0x4a fp=0xc00034ac00 sp=0xc00034abc8 pc=0x224d4a
syscall.SyscallN(0xc0000caa80?, {0xc00034ac98?, 0xc00034acf0?, 0xc0003dfa40?})
	runtime/syscall_windows.go:557 +0x109 fp=0xc00034ac78 sp=0xc00034ac00 pc=0x28b0c9
syscall.Syscall9(0x29c7be?, 0xc0001bd340?, 0xc0003f62d0?, 0x23?, 0x0?, 0x0?, 0xc0003f2510?, 0x1?, 0x1?, 0x0, ...)
	runtime/syscall_windows.go:507 +0x78 fp=0xc00034acf0 sp=0xc00034ac78 pc=0x28add8
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog._EvtFormatMessage(0x23?, 0x3600700?, 0x0, 0x0, 0xc000d5e978?, 0x1, 0x0, 0x0?, 0x0?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/zsyscall_windows.go:132 +0xf2 fp=0xc00034ad98 sp=0xc00034acf0 pc=0x177f152
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.evtFormatMessage(0xc0003f62d0?, 0x23?, 0x0?, {0x0?, 0x0, 0x1?}, 0x1?)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:81 +0xa5 fp=0xc00034ae88 sp=0xc00034ad98 pc=0x176f645
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageString(0xc0003dfa40?, 0x4000?, 0x4000?, {0x0?, 0xc00034af08?, 0x3?})
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:57 +0x45 fp=0xc00034aed0 sp=0xc00034ae88 pc=0x176f4e5
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.getMessageStringFromHandle(...)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/format_message.go:33
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.Message(0x4000?, {0xc0005e8000?, 0x36006e0?, 0xc0005623a0?}, 0xc00034afc8)
	github.com/elastic/beats/v7/winlogbeat/sys/wineventlog/wineventlog_windows.go:274 +0x12c fp=0xc00034afa0 sp=0xc00034aed0 pc=0x177d5cc
github.com/elastic/beats/v7/winlogbeat/eventlog.newWinEventLog.func5(0xc0003a6000?)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:289 +0x55 fp=0xc00034afe8 sp=0xc00034afa0 pc=0x2538735
github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Read(0xc0003a6000)
	github.com/elastic/beats/v7/winlogbeat/eventlog/wineventlog.go:474 +0x81a fp=0xc00034b658 sp=0xc00034afe8 pc=0x253a1fa
github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run(0xc0006469c0, 0xc0004dade0, {0x361dff8?, 0xc000128500}, {{0xc00041ac60, 0xb}, 0xa49c728, {0xb23705c, 0xedc963e90, 0x0}, ...}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/eventlogger.go:177 +0x10de fp=0xc00034bed8 sp=0xc00034b658 pc=0x25414de
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).processEventLog(0xc000277500?, 0x0?, 0x0?, {{0xc00041ac60, 0xb}, 0xa49c728, {0xb23705c, 0xedc963e90, 0x0}, {0xc0000565b0, ...}}, ...)
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:215 +0xb3 fp=0xc00034bf70 sp=0xc00034bed8 pc=0x2543bb3
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run.func3()
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:183 +0x55 fp=0xc00034bfe0 sp=0xc00034bf70 pc=0x2543935
runtime.goexit()
	runtime/asm_amd64.s:1598 +0x1 fp=0xc00034bfe8 sp=0xc00034bfe0 pc=0x28e781
created by github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run
	github.com/elastic/beats/v7/winlogbeat/beater/winlogbeat.go:183 +0x3da

Could someone please assist us in identifying and resolving this problem?

Regards
Rishabh

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.