Winlogbeat is shipping Windows events with placeholders instead of actual data

1. Describe your incident:
Sidecar’s own Winlogbeat is shipping log with placeholders (modifiers) instead of showing actual data, some of the data is being auto captured into Winlogbeat’s own fields but not all.
On other machines I’m getting the data properly in the message field.

Screenshot from 2022-11-02 16-42-05822×765 53.3 KB

2. Describe your environment:

• OS Information:
  Server: Ubuntu 20.04.5
  Ciıent Windows 10/11
• Package Version:
  Sidecar 1.2.0
• Service logs, configurations, and environment variables:
  Wnlogbeat config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["10.0.0.91:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - firstphase
winlogbeat:
  event_logs:
   - name: Security

3. What steps have you already taken to try and solve the problem?
Actually I am not sure where to start, I never had this problem before and searching the web yielded no results.

4. How can the community help?
Is this a known phenomena? any way to get the actual data displayed?

Check the winlogbeat.exe version on the actual file between the two machines - I had some older versions of winlogbeat.exe on some machines and that messed up some of my data.

Not surprisingly I’m having consistent info everywhere, winlogbeat.exe & filebeat.exe 7.11.1.0 and graylog-sidecar.exe 1.2.0.1 as I used the same sidecar installer.
I checked the sidecar logs and there is nothing of interest there, so I’m calling off the search as I have no idea what’s the culprit is (if any), it’s only one machine that’s doing this, I’ll just reformat it and see what happens.

If you find a solution, post it here for future searchers!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.