Hello.
Log collection and analysis from Active Directory.
Collecting logs with winlogbeat ,nxlog,filebeat
I see the logs, but I don’t see account lockouts, for example.
My configuration in NXlog/
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_json
Module xm_syslog
Module im_msvistalog
Query
[System[(EventID=6 or EventID=13 or EventID=64 or EventID=65 or EventID=7036)]]
Exec $Message = to_json();
Module om_tcp
Host “my ip”
Port 12201
Exec to_syslog_ietf();
<Route 1>
Path eventlog => out