Alarm triggered when software is installed on the Windows server

farzanba · May 28, 2021, 10:17am

Hello everybody,
How can I tell when software is being installed on a Windows server or Alarm triggered when software is installed on the Windows server.
is that possible with Gray Log?

Thank you

shoothub · May 28, 2021, 11:12am

Yes, it’s possible. Send logs from windows server using sidecar with sender winlogbeat or nxlog, and create input Beats, find EventID which contains action of software installation, and create alert with it.

farzanba · May 28, 2021, 12:08pm

I have already done that. But the result is not clear.
EventID:7045

gsmith · May 28, 2021, 11:46pm

@farzanba

Maybe I can offer a suggestion.

As @shoothub suggested.

I have GL 4 using GELF TCP/TLS INPUT

Here is a screenshot of our streams using EventID, added other rules to filter out the white noise from Windows Event Veiwer. Microsoft attend to use the same EventID for other events.

Create Alert (Summary).

Email Notification received.

Hope that helps

system · June 11, 2021, 11:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	960	April 13, 2021
Active Directory Audit logs for accounts, DNS Graylog Central (peer support)	13	566	January 26, 2024
Sending Windows Logs to GrayLog Graylog Central (peer support) sidecar , winlogbeat	3	5562	August 4, 2021
Winlogbeat sidecar Graylog Graylog Central (peer support)	2	202	September 5, 2022
Windows events to graylog server Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	3	4540	December 27, 2018

Alarm triggered when software is installed on the Windows server

Related Topics