The winlog input cannot populate the system.security dataset when installed in an unprivileged agent that is not part of the appropriate winlog readers group.
Today this failure is silent, generating no logs. Investigate if it is possible to detect a permissions error when in this situation and set the winlog input as degraded using the agent control protocol so that the user can identify and optionally correct the problem.
Support for reporting status using the control protocol was added in #39209 using the CEL input as a reference implementation.
system.securitydataset is not generated for Windows agent installed with unprivileged flag. elastic-agent#4647The winlog input cannot populate the
system.securitydataset when installed in an unprivileged agent that is not part of the appropriate winlog readers group.Today this failure is silent, generating no logs. Investigate if it is possible to detect a permissions error when in this situation and set the winlog input as degraded using the agent control protocol so that the user can identify and optionally correct the problem.
Support for reporting status using the control protocol was added in #39209 using the CEL input as a reference implementation.