Collector configuration of winlogbeat snippets were not working in graylog


(Ganeshbabu Ramamoorthy) #1

Hi All,

I have created new configuration in graylog and in which I configured winlobeat in input & output and also I tried creating snippet for winlogbeat to allow only specific event id’s for “security” log name.
Below is the syntax I used from this URL,

winlogbeat.event_logs:
  - name: Security
    event_id: 4624, 4625, 4700-4800, -4735

When I started the collector sidecar the configuration changes were applied to the generated winlogbeat.yml and below are changes in the yml file,
image

Also I tried changing the syntax in snippet as given below,

winlogbeat:
  event_logs:
  - name: Security
    event_id: 4670, 4688

After saved, the changes were reflected in generated winlogbeat.yml file,

image

Please kindly share your thoughts and correct me if I am doing anything wrong it would be helpful.

Thanks,
Ganeshbabu R


(Jan Doberstein) #2

That kind of configuration is in the current Version of Collector Sidecar not supported.

Future Versions will have the ability for that, but current did not.

Your two options are:

  • configure winlogbeat without collector sidecar
  • collect all security settings and drop the unwanted in the processing rules

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.