diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 92e3291317e..fe1c33ea552 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -84,6 +84,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
 - Remove top level `hash` property from sysmon events {pull}20653[20653]
 - Move module processing from local Javascript processor to ingest node {issue}29184[29184] {pull}29435[29435]
+- Fix run loop when reading from evtx file {pull}30006[30006]
 
 *Functionbeat*
 
diff --git a/winlogbeat/beater/eventlogger.go b/winlogbeat/beater/eventlogger.go
index b7507cfe8c0..390a2fb3975 100644
--- a/winlogbeat/beater/eventlogger.go
+++ b/winlogbeat/beater/eventlogger.go
@@ -130,7 +130,7 @@ func (e *eventLogger) run(
 	}()
 
 runLoop:
-	for {
+	for stop := false; !stop; {
 		err = api.Open(state)
 		if eventlog.IsRecoverable(err) {
 			e.log.Warnw("Open() encountered recoverable error. Trying again...", "error", err)
@@ -142,7 +142,7 @@ runLoop:
 		}
 		e.log.Debug("Opened successfully.")
 
-		for stop := false; !stop; {
+		for !stop {
 			select {
 			case <-done:
 				return
@@ -171,6 +171,9 @@ runLoop:
 			e.log.Debugf("Read() returned %d records.", len(records))
 			if len(records) == 0 {
 				time.Sleep(time.Second)
+				if stop {
+					return
+				}
 				continue
 			}