Graylog Beginner - Wondering if I have the right tool for the job?

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hello All,

I am new to Graylog and have heard about it in the past and finally figured I would dip my toes in the water. My apologies if what I am asking is basic and has been answered before, been googling and searching the forums but could not find a clear answer to see if my overall goal of trying to use Graylog to create a Login/Logoff/Session Time report for Windows Active Directory users is viable.

I have spent about 8 hours so far getting my VM setup and Graylog up and working and I have been able to setup NXLog on our Windows Domain Controller and configure it to start sending logs into Graylog.

So now that I got all that setup and data is being fed into Graylog, I am wondering if it is possible to setup some type of dashboard/report that could be accessed that kept a running report of who logged into which computer and for how long? One thing I noticed was the logs do have the Time of the event and the Endpoint name, but the username is listed as the SID instead of the username the user logs in with. Is that something that can be connected back to AD as well to translate those values to usernames?

Any info or pointing in a direction would be greatly appreciated. I am excited to get to know Graylog, I can see lots of possibilites here and look forward to learning.

2. Describe your environment:

• OS Information:
  Graylog is installed on an Ubuntu VM

• Package Version:
  Graylog 5.2

• Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I followed the steps in this Graylog video go get my Graylog server up and running.

How To Install Graylog V5 On Ubuntu (youtube.com)

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

I would use Graylog Sidecar with WinlogBeat on the Domain Controller to ingest Windows Logs. Once you have Sidecar and WinlogBeat configured, its just a matter of making sure Winlogbeat is capturing the right Event Codes.

Per Microsoft; Logon/Logoff Audit Log Event Codes

The username should be there, if it’s not something may be wrong on the nxlog side and it’s not rendering the usernames before it sends the logs. Can you post your nxlog config you are using to collect the logs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.