Getting Exchange Transport Logs into Graylog

I have a Graylog Community server up and running on Linux.

I followed the Graylog documentation on how to setup a Windows Sidecar with Winlogbeat.

I am successfully getting logs from my Windows Servers into Graylog.

My question is, how do I have Winlogbeat grab other log files that don’t show up in Event Viewer?

I would very much like to get my Windows Exchange Server logs into Graylog.

They currently reside on another partition, the location is:
“D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking”

Do I configure the Sidecar configuration on the server side, or is there a configuration file residing on the client (Exchange Server) that needs to be modified?

You need to pick up filebeat, you can place the exe in the same place as winlogbeat - and create a configuration for it to pick up the log files you want.

Here is a configuration for a couple of exchange log files you can modify from:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
   - ${user.BeatsInput}
   verification_mode: none
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows, exchange, 
logging.metrics.enabled: false
##### find owa logon and logoff 
    - type: log
      enabled: true
      include_lines: ['auth.owa', 'logoff.owa', 'ClientDisconnect']
      exclude_lines: ['HealthMailbox','^#']
        exchange_tag: OWA
      ignore_older: 72h
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.LOG
##### find RPC/HTTP logins 
    - type: log
      enabled: true
      include_lines: ['Exchange.asmx']
      exclude_lines: ['HealthMailbox','^#','^DateTime','AnchorMailboxHeader-SMTP','10.8.[0-9]+.[0-9]+']
        exchange_tag: rpc_http
      ignore_older: 72h    
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews\*.LOG
##### find Activesync logins
    - type: log
      enabled: true
#     include_lines: ['Microsoft-Server-ActiveSync','NewConnection=']
      include_lines: ['NewConnection=']
      exclude_lines: ['localhost','^#','^DateTime',',OPTIONS,']
        exchange_tag: activesync
      ignore_older: 72h    
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Eas\*.LOG

Let us know how it works out!


Hey there, thank you very much for the reply.

As I was going to drop the filebeat.exe into the same folder as winlogbeat, I noticed that filebeat.exe already existed there.

I assume that the Winlogbeat installer from Graylog also side installs Filebeat?

Or do I need to go through the installation of Filebeat anyway?

Regardless, I used your configuration and Graylog accepted it after I manually inserted the host IPv4 address of the Graylog server for “host”. For whatever reason it was not happy with the variable.
Afterwhich I setup the sidecar to use that configuration and it took it without error.

I had to update the paths for my particular setup, as my logs are logging to a secondary harddrive, all i had to do was switch C:\ to D:.

I verified that the paths are correct and that the logs are living there.

However now I have no logs coming in.

I imagine I have to fiddle with the logs in the config file some more.

I will make sure to post here with my findings and if/how I got it to work.

1 Like

Sidecar for Windows deploys filebeat and winlogbeat as default. If you deploy that config above to filebeat the winlogbeat logs should still arrive as that is configured separately. That means you can tinker with the config for filebeat while the event logs still arrive in Graylog.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.