[winlogbeat] Fix forwarded event handling and add channel error resilience by marc-gr · Pull Request #46190 · elastic/beats

marc-gr · 2025-08-22T13:21:18Z

Proposed commit message

Introduces two key fixes to Winlogbeat for better handling of Windows Event Log scenarios:

Use XMLRenderer for forwarded events
- Automatically use XMLRenderer for forwarded events regardless of the include_xml setting
- Simplifies renderer configuration and ensures proper handling of forwarded event data to prevent cache pollution
Add ignore_missing_channel configuration option
- Prevents Winlogbeat from stopping when encountering ERROR_EVT_CHANNEL_NOT_FOUND errors
- Useful for deployments across diverse Windows environments where not all event log channels may be present

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Even if this is adding a new option is to be able to prevent elastic-agent to show as degraded in scenarios where before it was not, so we will backport this also

github-actions · 2025-08-22T13:21:26Z

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

elasticmachine · 2025-08-22T13:22:56Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

github-actions · 2025-08-22T13:24:39Z

🔍 Preview links for changed docs

vishaangelova

LGTM for the doc changes

CHANGELOG.next.asciidoc

PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

AndersonQ

Looks good, I'll wait the tests pass to approve it.

docs/reference/filebeat/filebeat-input-winlog.md

approved by mistake

elasticmachine · 2025-09-02T07:27:44Z

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

github-actions · 2025-09-03T15:05:31Z

@Mergifyio backport 8.17 8.18 8.19 9.0 9.1

mergify · 2025-09-03T15:05:51Z

backport 8.17 8.18 8.19 9.0 9.1

✅ Backports have been created

Details

#46364 [8.17](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience has been created for branch 8.17 but encountered conflicts
#46365 [8.18](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience has been created for branch 8.18 but encountered conflicts
#46366 [8.19](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience has been created for branch 8.19 but encountered conflicts
#46367 [9.0](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience has been created for branch 9.0 but encountered conflicts
#46368 [9.1](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience has been created for branch 9.1

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) # Conflicts: # docs/reference/filebeat/filebeat-input-winlog.md # docs/reference/winlogbeat/configuration-winlogbeat-options.md # docs/reference/winlogbeat/winlogbeat-reference-yml.md # winlogbeat/eventlog/config.go # winlogbeat/eventlog/runner.go # winlogbeat/eventlog/wineventlog.go # winlogbeat/sys/wineventlog/renderer.go # winlogbeat/sys/wineventlog/renderer_test.go # x-pack/filebeat/tests/integration/windows/inputs_windows_test.go

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) # Conflicts: # docs/reference/filebeat/filebeat-input-winlog.md # docs/reference/winlogbeat/configuration-winlogbeat-options.md # docs/reference/winlogbeat/winlogbeat-reference-yml.md # winlogbeat/eventlog/config.go # winlogbeat/eventlog/wineventlog.go # winlogbeat/sys/wineventlog/renderer.go # x-pack/filebeat/tests/integration/windows/inputs_windows_test.go

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) # Conflicts: # docs/reference/filebeat/filebeat-input-winlog.md # docs/reference/winlogbeat/configuration-winlogbeat-options.md # docs/reference/winlogbeat/winlogbeat-reference-yml.md # winlogbeat/eventlog/config.go # winlogbeat/eventlog/wineventlog.go # winlogbeat/sys/wineventlog/renderer.go

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) # Conflicts: # winlogbeat/eventlog/wineventlog.go

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373)

nicpenning · 2025-09-03T17:29:03Z

Does Filebeat have the same/similar issue and if so, does this correct it?

marc-gr · 2025-09-03T19:26:47Z

Does Filebeat have the same/similar issue and if so, does this correct it?

this corrects both winlogbeat and the winlog input in filebeat

…add channel error resilience (#46368) * [winlogbeat] Fix forwarded event handling and add channel error resilience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) * Update CHANGELOG for Winlogbeat fixes Removed outdated entries and added new fixes for Winlogbeat. * Change minimum stack version for ignore_missing_channel Update the minimum supported stack version for ignore_missing_channel option. * Change minimum stack version for ignore_missing_channel Update the minimum supported stack version for the ignore_missing_channel option. --------- Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

nicpenning · 2025-09-03T22:07:09Z

Awesome, thank you!

…add channel error resilience (#46367) * [winlogbeat] Fix forwarded event handling and add channel error resilience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373) # Conflicts: # winlogbeat/eventlog/wineventlog.go * Resolve conflict * Fix changelog and docs --------- Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> Co-authored-by: Marc Guasch <marc.guasch@elastic.co>

…ience (#46190) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> (cherry picked from commit abcb373)

…ience (#46190) (#46366) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- (cherry picked from commit abcb373) Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

…ience (#46190) (#46365) * Use XMLRenderer for forwarded events * Include new IgnoreMissingChannel option * Default to true and add test * Update CHANGELOG.next.asciidoc PR feedback * Run mage update * Add mustIgnoreError to all platforms * Show example with non default value --------- (cherry picked from commit abcb373) Co-authored-by: Marc Guasch <marc.guasch@elastic.co> Co-authored-by: Nick Fritts <56593026+nfritts@users.noreply.github.com> Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Aug 22, 2025

mergify bot assigned marc-gr Aug 22, 2025

marc-gr force-pushed the fix/winlogbeat-fw-cache-ignore branch from c4a5b0a to 50c3cf6 Compare August 22, 2025 13:22

marc-gr marked this pull request as ready for review August 22, 2025 13:22

marc-gr requested review from a team as code owners August 22, 2025 13:22

marc-gr added 2 commits August 22, 2025 15:23

Use XMLRenderer for forwarded events

5435bc8

Include new IgnoreMissingChannel option

4a7fe8a

marc-gr force-pushed the fix/winlogbeat-fw-cache-ignore branch from 50c3cf6 to 4a7fe8a Compare August 22, 2025 13:23

Default to true and add test

a457f1b

marc-gr requested a review from a team as a code owner August 22, 2025 14:09

marc-gr requested review from AndersonQ and VihasMakwana August 22, 2025 14:09

vishaangelova approved these changes Aug 26, 2025

View reviewed changes

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved

Update CHANGELOG.next.asciidoc

25aa1b3

PR feedback Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

nfritts approved these changes Aug 26, 2025

View reviewed changes

AndersonQ previously approved these changes Aug 28, 2025

View reviewed changes

docs/reference/filebeat/filebeat-input-winlog.md Outdated Show resolved Hide resolved

marc-gr added 2 commits September 1, 2025 10:28

Run mage update

30b6bf9

Add mustIgnoreError to all platforms

65f1e3c

marc-gr added 2 commits September 2, 2025 11:33

Merge branch 'main' into fix/winlogbeat-fw-cache-ignore

73fd91f

Merge branch 'main' into fix/winlogbeat-fw-cache-ignore

898c57d

VihasMakwana approved these changes Sep 3, 2025

View reviewed changes

nfritts approved these changes Sep 3, 2025

View reviewed changes

marc-gr enabled auto-merge (squash) September 3, 2025 14:43

marc-gr merged commit abcb373 into elastic:main Sep 3, 2025
57 of 60 checks passed

mergify bot mentioned this pull request Sep 3, 2025

[8.17](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience #46364

Closed

6 tasks

mergify bot mentioned this pull request Sep 3, 2025

[8.18](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience #46365

Merged

6 tasks

mergify bot mentioned this pull request Sep 3, 2025

[8.19](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience #46366

Merged

6 tasks

mergify bot mentioned this pull request Sep 3, 2025

[9.0](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience #46367

Merged

6 tasks

mergify bot mentioned this pull request Sep 3, 2025

[9.1](backport #46190) [winlogbeat] Fix forwarded event handling and add channel error resilience #46368

Merged

6 tasks

marc-gr deleted the fix/winlogbeat-fw-cache-ignore branch September 3, 2025 19:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[winlogbeat] Fix forwarded event handling and add channel error resilience#46190

[winlogbeat] Fix forwarded event handling and add channel error resilience#46190
marc-gr merged 10 commits intoelastic:mainfrom
marc-gr:fix/winlogbeat-fw-cache-ignore

marc-gr commented Aug 22, 2025

github-actions bot commented Aug 22, 2025

elasticmachine commented Aug 22, 2025

github-actions bot commented Aug 22, 2025 •

edited

Loading

vishaangelova left a comment

Uh oh!

AndersonQ left a comment

Uh oh!

elasticmachine commented Sep 2, 2025

Uh oh!

github-actions bot commented Sep 3, 2025

mergify bot commented Sep 3, 2025 •

edited

Loading

nicpenning commented Sep 3, 2025

marc-gr commented Sep 3, 2025

nicpenning commented Sep 3, 2025

Labels

8 participants

Conversation

marc-gr commented Aug 22, 2025

Proposed commit message

Checklist

github-actions bot commented Aug 22, 2025

🤖 GitHub comments

elasticmachine commented Aug 22, 2025

github-actions bot commented Aug 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Preview links for changed docs

vishaangelova left a comment

Choose a reason for hiding this comment

Uh oh!

AndersonQ left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Sep 2, 2025

Uh oh!

github-actions bot commented Sep 3, 2025

mergify bot commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Backports have been created

nicpenning commented Sep 3, 2025

marc-gr commented Sep 3, 2025

nicpenning commented Sep 3, 2025

Labels

8 participants

github-actions bot commented Aug 22, 2025 •

edited

Loading

mergify bot commented Sep 3, 2025 •

edited

Loading