Winlogbeat fails to recognize level filter on Windows XP and 2003

[kenclarktaylor]

When using the alpha2 build to utilize the log level for event logs I receive the error below. An identical winlogbeat.yml works and filters the event logs correctly when using the 64 bit build. I've included the example YML file as well.

CRIT Exiting: Failed to create new event log. 1 error: Invalid event log key 'level' found. Valid keys are api, fields, fields_under_root, format_buffer_size, ignore_older, name, read_buffer_size, tags

winlogbeat:
registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

event_logs:
- name: Application
level: warning
- name: Security
level: warning
- name: System
level: warning

output:
logstash:
hosts: ["HOST:5044"]

#tls:
#certificate_authorities: ["C:/ProgramFiles/winlogbeat/logstash-forwarder.crt"]

logging:
to_files: true
files:
path: C:/ProgramData/winlogbeat/Logs
level: info

[andrewkroh]

What operating system are you running Winlogbeat on?

The level parameter can only be used with the Windows Event Log API which should be available on Windows Vista and newer operating systems. This is noted in the documentation for level.

Based on the error message you posted, Winlogbeat detected that the "Windows Event Log" API is not available and it using the older "Event Logging" API. Those options listed in the error are for the "Event Logging" API that is part of Windows XP and 2003.

[kenclarktaylor]

You are correct, just found this:
A list of event levels to include. The value is a comma-separated list of levels. This option is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer).

Closing up, thanks for your quick response.

[andrewkroh]

BTW as a future work-around (though not as efficient), you could probably use the conditional filters to drop events you don't care about. It's still being worked on: #1447