1. Describe your incident:
I have 2 winlogbeat configuration, 1 for workstations and 1 for servers.
When I add some conf on graylog for both of it, auto-update works everytime on Windows 10 but fail everytime on Windows Server.
2. Describe your environment:
- OS Information:
Docker: 24.0.7
Graylog: 5.2.1
Opensearch: 2.11.0
mongodb: 6.0.11
traefik: 2.10.5
- Package Version:
Graylog Sidecar: 1.5.0
Winlogbeat: 7.17.13.0
3. What steps have you already taken to try and solve the problem?
Saying we want to add some event id to monitor for our windows server, we edit the configuration on graylog side, save the conf and we wait 30 second for auto update to the sidecars agents. It works on W10, but failed on Wserver.
On the server side, we can see that the wrapper for winlogbeat is stopped:
And even if I comment the tag to load the winlogbeat conf and restart the sidecar service, the wrapper service is not deleted.
It only works if I open task manager and kill the winlogbeat process which is associated to the wrapper (child process)
After killing the process, I can restart the sidecar service, and now the server have the latest winlogbeat configuration.
On W10, I do not have this issue as the configuration update itself.
4. How can the community help?
Is this issue related to the fact that I use Winlogbeat 7.17.13.0 and the recommanded one for Opensearch is 7.12.1 ?
If I use the 7.12.1, some of my parameters are not working due to the lack of features I want in this version. That is why I use the 7.17.13.0.
Or is it because I replaced the original winlogbeat binary and this is just some permissions issue ? But why it does not happens on W10 then.