[Winlogbeat] Detect and handle publisher disabled errors

[taylor-swanson]

Under certain circumstances, formatting of event logs can fail with an error like the following:

WinEventLog[] error salvaging message (event id=5 qualifier=0 provider="Microsoft-Windows-Sysmon" created at TIME will be included without a message): failed in EvtFormatMessage: The publisher has been disabled and its resource is not available. This usually occurs when the publisher is in the process of being uninstalled or upgraded.

In one particular case, Sysmon was upgraded using the Chocolatey package manager and error above occurred. It took a restart of Winlogbeat to correct the issue. It may be possible to leverage the recoverable error mechanism that already exists in Winlogbeat to detect this error and resubscribe to the affected channel.

The error is detectable through the following Windows error code:

ERROR_EVT_PUBLISHER_DISABLED

15037 (0x3ABD)

The publisher has been disabled and its resource is not available. This usually occurs when the publisher is in the process of being uninstalled or upgraded.

I'm not sure of all the conditions in which this error can occur, however. With the above scenario, this error was likely due to Winlogbeat holding a handle to the old channel/publisher that was replaced, and resubscribing fixed the issue. There are other cases where a user must intervene and correct an issue in Windows itself (see this post), so resubscribing may not actually work.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)