[WinLogBeats] Missing events from ForwardedEvents channel

Elastic Stack Beats
1

Hello !

I noticed that some logs are missing when I collect the channel "Forwarded Events" of my central log collector

Here is my test.

1-Logs are well forwarded from my client (SRV-2012) to the central log collector (W2012-COLLECTOR) :

Forwarded_Events
Forwarded_Events1074×361 43.4 KB

2-Only few logs are received in Kibana :

Received_Events
Received_Events993×715 57.1 KB

3-Here is the misisng events :

Missing_Events
Missing_Events920×299 43.6 KB

It looks like it works better with own logs of the central log collector. To test I generated logon error and all have been received

I saw this github issue : https://github.com/elastic/beats/issues/3731 but didn't helped me

Did you have the same behavior ? Do you know a workaround or a fix ?

Thanks for your help ! :slight_smile:

2

Anyone ?

I did some more tests with the own security channel of the central log collector and no events are missing. So issue is on the Forwarded Events channel, but this is strange than only few people have noticed this

I also compared with nxlogs and with this tool no events are missing from Forwarded Events channel, but I would like to use WinLogBeats because I can have fields in ECS format and so use Elastic SIEM

3

OK. Solved. In my setup, WinLogBeats send logs to Kafkfa, then to Logstash. After more analysis, issue was between Kafka and Logstash. For a unknown reason, some events was not consumed by Logstash Kafka input. I created a new topic and no more issue :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.