[WinLogBeats] Missing events from ForwardedEvents channel

Travis · March 19, 2020, 5:21pm

Hello !

I noticed that some logs are missing when I collect the channel "Forwarded Events" of my central log collector

Here is my test.

1-Logs are well forwarded from my client (SRV-2012) to the central log collector (W2012-COLLECTOR) :

2-Only few logs are received in Kibana :

3-Here is the misisng events :

It looks like it works better with own logs of the central log collector. To test I generated logon error and all have been received

I saw this github issue : https://github.com/elastic/beats/issues/3731 but didn't helped me

Did you have the same behavior ? Do you know a workaround or a fix ?

Thanks for your help !

Travis · March 20, 2020, 4:07pm

Anyone ?

I did some more tests with the own security channel of the central log collector and no events are missing. So issue is on the Forwarded Events channel, but this is strange than only few people have noticed this

I also compared with nxlogs and with this tool no events are missing from Forwarded Events channel, but I would like to use WinLogBeats because I can have fields in ECS format and so use Elastic SIEM

Travis · March 23, 2020, 3:56pm

OK. Solved. In my setup, WinLogBeats send logs to Kafkfa, then to Logstash. After more analysis, issue was between Kafka and Logstash. For a unknown reason, some events was not consumed by Logstash Kafka input. I created a new topic and no more issue

system · April 20, 2020, 5:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.