[7.17](backport #32697) winlogbeat/eventlog: reduce severity of messa…

…ge salvage failure logging (#33073) * winlogbeat/eventlog: reduce severity of message salvage failure logging (#32697) Previously a failure to salvage a message for a Windows logging event would be logged as an error. This can cause unnecessary concern, so log as a warning. Also log the event ID/qualifier and the creation time so that lost-message events can be more easily found in indexed documents for confirmation. (cherry picked from commit 428dbc0) * fix conflicts Co-authored-by: Dan Kortschak <[email protected]> Co-authored-by: Dan Kortschak <[email protected]>
elastic · Sep 13, 2022 · e4c3db2 · e4c3db2
1 parent a1ec68e
commit e4c3db2
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -57,7 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
-
+- Reduce severity of message salvage failure logging. {pull}32697[32697]
 
 *Functionbeat*
 

diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go
@@ -332,7 +332,8 @@ func (l *winEventLog) Read() ([]Record, error) {
 		if r.Message == "" {
 			r.Message, err = l.message(h)
 			if err != nil {
-				logp.Err("%s error salvaging message: %v", l.logPrefix, err)
+				logp.Warn("%s error salvaging message (event id=%d qualifier=%d provider=%q created at %s will be included without a message): %v",
+					l.logPrefix, r.EventIdentifier.ID, r.EventIdentifier.Qualifiers, r.Provider.Name, r.TimeCreated.SystemTime, err)
 			}
 		}
 		records = append(records, r)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -57,7 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

		Winlogbeat


		- Reduce severity of message salvage failure logging. {pull}32697[32697]

		Functionbeat

Expand Down