Winlogbeats error when using xml_query

rojjin · October 12, 2023, 3:08pm

Winlogbeats logs an error when trying to use an xml_query to return custom events. I have read thru the documentation and believe the config is correct. Here is the config:

output.logstash:
  hosts: ["server"]
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
  - windows-server
winlogbeat.event_logs:
  - id: administrative-events
    xml_query: |
     <QueryList>
      <Query Id="0" Path="Application">
        <Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]</Select>
        <Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="HardwareEvents">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Internet Explorer">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Key Management Service">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-AppV-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-AppV-Client/Virtual Applications">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-ServerCore-ShellLauncher/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-All-User-Install-Agent/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppHost/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppModel-Runtime/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppReadiness/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-ATAPort/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Client-Licensing-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DataIntegrityScan/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DataIntegrityScan/CrashRecovery">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DSC/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DxgKrnl-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Application-Learning/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Audit-Regular/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Audit-TCB/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-GenericRoaming/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Hyper-V-Guest-Drivers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Hyper-V-Hypervisor-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Management-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-MUI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PowerShell/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PrintBRM/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PushNotification-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Rdms-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SecurityMitigationsBroker/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-ServerManager-MultiMachine/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SMBDirect/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SMBWitnessClient/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Tiering/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-Printers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-User Device Registration/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-VerifyHardwareSecurity/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Workplace Join/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Suppress Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(EventID=202 or EventID=200 or EventID=201)]]</Suppress>
        <Suppress Path="Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=360)]]</Suppress>
        <Suppress Path="Security">*[System[(EventID=129 or EventID=141 or EventID=1102 or EventID=4648 or EventID=4657 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4720 or EventID=4738 or EventID=4767 or EventID=4728 or EventID=4732 or EventID=4634 or EventID=4735 or EventID=4740 or EventID=4756)]]</Suppress>
        <Suppress Path="System">*[System[(EventID=129 or EventID=1022 or EventID=1033 or EventID=1034 or EventID=4624 or EventID=4625 or EventID=4633 or EventID=4719 or EventID=4738 or EventID=7000 or EventID=7022 or EventID=7024 or EventID=7031 or EventID=7035 or EventID=7036 or EventID=7040 or EventID=7045)]]</Suppress>
      </Query>
     </QueryList>

Logged error:
ERROR instance/beat.go:971 Exiting: Failed to create new event log. failed unpacking config. 1 error: event log is missing a 'name' accessing 'winlogbeat.event_logs.0' (source:'C:\Program Files\Graylog\sidecar\generated\652806e541e0fc2ab5a52021\winlogbeat.conf')

According to the documentation the "name" field is not supposed to be used with an xml_query.

Each dictionary under event_logs must have a name field, except for those which use a custom XML query.

Am I missing something?

andrewkroh · October 12, 2023, 4:37pm

What version of Winlogbeat?

rojjin · October 12, 2023, 4:49pm

Version 7.11.1

andrewkroh · October 12, 2023, 6:37pm

That's quite old. The xml_query option was introduced around ~7.17 IIRC.

You see that option is not present in Configure Winlogbeat | Winlogbeat Reference [7.11] | Elastic.

And is in 7.17. Configure Winlogbeat | Winlogbeat Reference [7.17] | Elastic

rojjin · October 12, 2023, 6:44pm

I did not realize that. I will upgrade the version and re-test. Thanks for the heads up.

rojjin · October 12, 2023, 7:04pm

That was the issue. After upgrading the version to 7.17.13 the xml_query worked without issue.

Andrew_Mora · October 13, 2023, 7:46am

rojjin:

Winlogbeats logs an error when trying to use an xml_query to return custom events. I have read thru the documentation and believe the config is correct. Here is the config:

output.logstash:
  hosts: ["server"]
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
  - windows-server
winlogbeat.event_logs:
  - id: administrative-events
    xml_query: |
     <QueryList>
      <Query Id="0" Path="Application">
        <Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]</Select>
        <Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="HardwareEvents">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Internet Explorer">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Key Management Service">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-AppV-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-AppV-Client/Virtual Applications">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-ServerCore-ShellLauncher/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-All-User-Install-Agent/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppHost/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Application Server-Applications/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppModel-Runtime/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-AppReadiness/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-ATAPort/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Client-Licensing-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DataIntegrityScan/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DataIntegrityScan/CrashRecovery">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DSC/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Dhcp-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Dhcpv6-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Diagnosis-Scripted/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-DxgKrnl-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Application-Learning/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Audit-Regular/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EDP-Audit-TCB/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EnrollmentPolicyWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-EnrollmentWebService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-FileServices-ServerManager-EventProvider/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-GenericRoaming/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Hyper-V-Guest-Drivers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Hyper-V-Hypervisor-Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Kernel-EventTracing/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Management-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-MUI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PowerShell/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PrintBRM/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-PushNotification-Platform/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Rdms-UI/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-RemoteApp and Desktop Connections/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SecurityMitigationsBroker/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-ServerManager-MultiMachine/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SMBDirect/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-SMBWitnessClient/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Tiering/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-PnPDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-Printers/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-User Device Registration/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-VerifyHardwareSecurity/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Microsoft-Windows-Workplace Join/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
        <Suppress Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[(EventID=202 or EventID=200 or EventID=201)]]</Suppress>
        <Suppress Path="Microsoft-Windows-User Device Registration/Admin">*[System[(EventID=360)]]</Suppress>
        <Suppress Path="Security">*[System[(EventID=129 or EventID=141 or EventID=1102 or EventID=4648 or EventID=4657 or EventID=4688 or EventID=4697 or EventID=4698 or EventID=4720 or EventID=4738 or EventID=4767 or EventID=4728 or EventID=4732 or EventID=4634 or EventID=4735 or EventID=4740 or EventID=4756)]]</Suppress>
        <Suppress Path="System">*[System[(EventID=129 or EventID=1022 or EventID=1033 or EventID=1034 or EventID=4624 or EventID=4625 or EventID=4633 or EventID=4719 or EventID=4738 or EventID=7000 or EventID=7022 or EventID=7024 or EventID=7031 or EventID=7035 or EventID=7036 or EventID=7040 or EventID=7045)]]</Suppress>
      </Query>
     </QueryList>

Logged error:
ERROR instance/beat.go:971 Exiting: Failed to create new event log. failed unpacking config. 1 error: event log is missing a 'name' accessing 'winlogbeat.event_logs.0' (source:'C:\Program Files\Graylog\sidecar\generated\652806e541e0fc2ab5a52021\winlogbeat.conf')

According to the documentation the "name" field is not supposed to be used with an xml_query.

Each dictionary under event_logs must have a name field, except for those which use a custom XML query.

Am I missing something?

It appears you've followed the documentation correctly. The error you encountered likely arises from a mismatch between the configuration and the specific requirements. As per the documentation, the "name" field should not be used when employing a custom XML query. Double-check your configuration to ensure that no "name" field is present in the dictionary under "winlogbeat.event_logs.0." If the issue persists, consider seeking assistance from the support community for further troubleshooting. AC Football Cases

system · November 10, 2023, 9:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.