Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

2. Describe your environment:

• OS Information:
  Ubuntu 22.04.3 LTS

• Package Version:
  5.1

Hi!

I am little confused about setting up the Winbeatlog. I read the documentation and now I have setup the Graylog Sidecare. I have installed the sidecare on my Windows server. Then I created a confiuration file for Winlogbeat for windows and changed the IP address pointing to my Graylog.
Then I selected the WinlogtBeat under Log Collector and edit it and assign my Graylog IP to it and pressed Update collector.
In the Administration section I can see my Winlogbeat is Running fine and I can see the messages under Overview.
I want to only receive security related event id so I just disabled the below in both the collector and configuration.

- name: Application

- name: System

Is this the right way to do it?

Also I dont have to install Winlogbeat on the server itself or I have to install the Winlogbeat installer on the server?

Thanks for your input on this.

Greetings and welcome!

I understand it can be a bit confusing as there are a lot of moving parts.

To help clarify:

• Both winlogbeat and filebeat are included with the Windows Graylog Sidecar install and do not need to be installed separately.
• Graylog sidecar will control these “collectors” via the graylog UI and you do not need to edit any .yml files locally on the device where sidecar is installed
• Sidecar configuration in graylog:
  • Log Collectors are a configuration that defines what binary (such as winlogbeat.exe) and what command that sidecar executes to start collecting that data.
    • Examples of differently collectors: filebeat: winlogbeat, nxlog
  • Configurations specify exactly what the log collector will collect such as a specific text file or specific windows event log
    • Configurations are applied to sidecars

Here is a short guide that goes through configuring a sidecar (once it has been installed and the device appears in the list of devices in the graylog UI): se-poc-docs/src/On Prem POC/sidecar configuration.md at main · Graylog2/se-poc-docs · GitHub

Let me know if you have any questions!

Thanks Drew with such a nice explanation :).

It says here that you should change your config on the device where its installed.
" Once finished, you can change or configure your sidecar.yml file, which should be located in C:\\Program Files\\Graylog\\sidecar\\sidecar.yml"

https://go2docs.graylog.org/5-0/getting_in_log_data/graylog_sidecar.html

Do we have to configure different collectors for different server?

That file is only settings for the sidecar agent, the most common reason to edit it would be to update the API key or url of your Graylog server, or change tags assigned to that sidecar agent. Most of the time you will edit the configs in the Graylog UI. You can assign a config to as many machines as you want, you only need to make another config when you want to assign a different config to a machine because you need to collect different logs.

Thanks Joel for the explanation.

Is this the correct format for event id

I am getting error on it. when I use this format. Its failing

If you are talking about the example winlogbeat config yes, BUT that config will only work if you deploy it via sidecar, if you copy that right into the winlogbeat yaml file you will get errors.

I am deploying it via sidecar on Graylog server.
In Graylog server → Sidecares → Create configuration and pasting the confing in it.

I can see this error.

Validation command output: panic: name Security already used

Is it because I am using Graylog 5.1 and the sidecar config doesnt work fine.
My default config has.
winlogbeat:
event_logs:

and in the github example its winlogbeat.event_logs:

Can you post a screenshot of your error and the full text of the config you are using?

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

NOTE:

replace servername.domain.tld

with the name (or IP Address) of your graylog server.

output.logstash:
hosts: [“myipaddress:5045”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

• windows

winlogbeat.event_logs:

• name: Application
  level: critical, error, warning
  ignore_older: 48h

Account login: Successful, Failed, logged off, loggon using explicit credentials

• name: Security
  event_id: 4616, 4624, 4625, 4634, 4647, 4648
  level: info
  ignore_older: 48h
  provider:
  • Microsoft-Windows-Security-Auditing

Active Directory Monitoring: User account created, A user account was enabled, An attempt was made to change the password of an account, A user account was disabled,A user account was changed, A user account was locked out,A user account was unlocked

• name: Security
  event_id: 4720-4727
  level: info
  ignore_older: 48h
  provider:
  • Microsoft-Windows-Security-Auditing

Active directory Monitoring Group:A user was added to a privileged global group, A user was added to a privileged local group, A user was added to a privileged universal group, A privileged local group was modified, A privileged global group was modified, A privileged universal group was modified

• name: Security
  event_id: 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740-4743, 4754-4758, 4764, 4767, 4769
  level: info
  ignore_older: 48h
  provider:
  • Microsoft-Windows-Security-Auditing

Active directory Kerberos:A Kerberos authentication ticket request failed

• name: Security
  event_id: 4770-4773
  level: info
  ignore_older: 48h
  provider:
  • Microsoft-Windows-Security-Auditing

Active directory RDP:

• name: Security
  event_id: 1024, 1100, 1101, 1102, 1103, 1104, 1149, 98, 131, 21, 22, 25
  level: info
  ignore_older: 48h
  provider:

  • Microsoft-Windows-Security-Auditing

• name: System
  level: critical, error, warning
  ignore_older: 48h

• name: Microsoft-Windows-Sysmon/Operational
  ignore_older: 48h

• name: Windows PowerShell
  level: critical, error, warning
  ignore_older: 48h

• name: Microsoft-Windows-PowerShell/Operational
  level: critical, error, warning
  ignore_older: 48h

• name: Microsoft-Windows-Windows Defender/Operational
  level: critical, error, warning
  ignore_older: 48h

The bold text has # in front. Not sure how I can format this.

Thank you this is very helpful! My apologies, after doing some research it would appear there were some breaking changes (possibly?) introduced around winlogbeat 8.7 and later. This makes sense because we (graylog) have just updated sidecar to use winlogbeat 8.9.0 (previously we used 7.11.1).

That thread I linked above has the workaround but i’ll save you the clickthrough and tell you the fix is to add an id attribute to the config like this:

winlogbeat.event_logs:
  # Account login: Successful, Failed, logged off, loggon using explicit credentials
  - name: Security
    id: account_login
    event_id: 4616, 4624, 4625, 4634, 4647, 4648
    level: info
    ignore_older: 48h
    provider:
      - Microsoft-Windows-Security-Auditing

# Active Directory Monitoring: User account created, A user account was enabled, An attempt was made to change the password of an account, A user account was disabled,A user account was changed, A user account was locked out,A user account was unlocked
  - name: Security
    id: ad_mon_user_created
    event_id:  4720-4727
    level: info
    ignore_older: 48h
    provider:
      - Microsoft-Windows-Security-Auditing

I have since updated winlogbeat config linked above.

Thanks for reporting this! Let me know if you have any quesitons let us know if you still have issues after adding the id attributes.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.