Hey everyone,
I recently installed Graylog Sidecar on my Windows machine to collect audit logs, but I’m not sure if I need to manually enable the Windows Audit Logs in secpol.msc, or if Sidecar will automatically enable and collect them.
Does anyone know if Graylog Sidecar handles this automatically, or is there some manual configuration required?
Thanks in advance for any help!
The sidecar alone doesn’t collect the logs. To collect them, you must push a configuration for Winlogbeat or NXLog down to the sidecar agent. If your sidecar shows in the Graylog UI, you must assign one of the default configurations shipped to get going.
You may wish to edit the audit policies to get more events than are available with the default config.
You can have a look at this other thread ongoing for example: Graylog Sidecar doesn´t send logs
Thank you for your response. I still need to complete the following tasks:
Is this correct? My question was about the third task.
You only need to do the third part if you want more logs than Windows logs by default.
For example, command line auditing is turned off by default, but you may want this.
That’s great, thank you so much!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
