Winlogbeats logs an error when trying to use an xml_query to return custom events. I have read thru the documentation and believe the config is correct. Here is the config:
output.logstash:
hosts: ["server"]
path:
data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
- windows-server
winlogbeat.event_logs:
- id: administrative-events
xml_query: |
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]</Select>
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="HardwareEvents">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Internet Explorer">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Key Management Service">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-AppV-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-AppV-Client/Virtual Applications">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-ServerCore-ShellLauncher/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-All-User-Install-Agent/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-AppHost/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-AppModel-Runtime/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-AppReadiness/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Storage-ATAPort/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Client-Licensing-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DataIntegrityScan/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DataIntegrityScan/CrashRecovery">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DSC/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-DxgKrnl-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-EDP-Application-Learning/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-EDP-Audit-Regular/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-EDP-Audit-TCB/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-GenericRoaming/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Hyper-V-Guest-Drivers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Hyper-V-Hypervisor-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Management-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-MUI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PowerShell/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PrintBRM/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PushNotification-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Rdms-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-SecurityMitigationsBroker/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-ServerManager-MultiMachine/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-SMBDirect/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-SMBWitnessClient/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Storage-Tiering/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-Printers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-User Device Registration/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-VerifyHardwareSecurity/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-Workplace Join/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Suppress Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(EventID=202 or EventID=200 or EventID=201)]]</Suppress>
<Suppress Path="Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=360)]]</Suppress>
<Suppress Path="Security">*[System[(EventID=129 or EventID=141 or EventID=1102 or EventID=4648 or EventID=4657 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4720 or EventID=4738 or EventID=4767 or EventID=4728 or EventID=4732 or EventID=4634 or EventID=4735 or EventID=4740 or EventID=4756)]]</Suppress>
<Suppress Path="System">*[System[(EventID=129 or EventID=1022 or EventID=1033 or EventID=1034 or EventID=4624 or EventID=4625 or EventID=4633 or EventID=4719 or EventID=4738 or EventID=7000 or EventID=7022 or EventID=7024 or EventID=7031 or EventID=7035 or EventID=7036 or EventID=7040 or EventID=7045)]]</Suppress>
</Query>
</QueryList>
Logged error: ERROR instance/beat.go:971 Exiting: Failed to create new event log. failed unpacking config. 1 error: event log is missing a 'name' accessing 'winlogbeat.event_logs.0' (source:'C:\Program Files\Graylog\sidecar\generated\652806e541e0fc2ab5a52021\winlogbeat.conf')
According to the documentation the "name" field is not supposed to be used with an xml_query.
Each dictionary under event_logs must have a name field, except for those which use a custom XML query.
It appears you've followed the documentation correctly. The error you encountered likely arises from a mismatch between the configuration and the specific requirements. As per the documentation, the "name" field should not be used when employing a custom XML query. Double-check your configuration to ensure that no "name" field is present in the dictionary under "winlogbeat.event_logs.0." If the issue persists, consider seeking assistance from the support community for further troubleshooting. AC Football Cases
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.