Skip to content

[winlogbeat] when ingesting evtx file processing stops at 512 #47388

New issue
New issue
Open
Open
[winlogbeat] when ingesting evtx file processing stops at 512#47388
Labels
needs_teamIndicates that the issue/PR needs a Team:* label
@intxgo

Description

@intxgo
intxgo
opened on Oct 29, 2025

For confirmed bugs, please report:

  • Version: 9.1.5
  • Operating System: windows
  • Discuss Forum URL:
  • Steps to Reproduce:

We've obseved that winlogbeat process only 512 events and reports EOL with this config:

winlogbeat.event_logs:
  - name: "C:/test/saved-events.evtx"
    no_more_events: stop

However it process all events from evtx file with this config:

winlogbeat.event_logs:
  - name: "C:/sdh/customer-events.evtx"

or this config:

winlogbeat.event_logs:
  - name: "C:/sdh/customer-events.evtx"
    no_more_events: stop
    batch_read_size: 128

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs_teamIndicates that the issue/PR needs a Team:* label

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions