Graylog Fileserver monitor file access

I’m trying to use graylog for monitoring file access on file server… For now i can use sidecar to log event id 4663 on my shared folder but here there isn’t the name of user that want to acces but for all only user=administrator. there another way to deatalied monitor of file access inside fileserver ? i’ve try to install auditbeat with sidecar but when start sidecar not auditbeat log are received, if i start auditbeat with passed sidecar conf inside c:.…\graylog\sidecar\generated\winlogbrat.conf auditbeat start but all winlogbeat event go are not registered…

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

   hosts: [""]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
 - auditbeat
- module: file_integrity
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)
  - C:/Program Files (x86)
  - C:/test
- module: system
    - host      # General host information, e.g. uptime, IPs
  - name: Application
  - name: System
  - name: Security
  - name: System
    level: critical, error, warning
  - name: Application
    level: critical, error, warning
  - name: Security
    ignore_older: 2h
        - drop_event.when.not.or:
            - equals.winlog.event_id: 1102
            - equals.winlog.event_id: 1104
            - equals.winlog.event_id: 1108
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4625
            - equals.winlog.event_id: 4648
            - equals.winlog.event_id: 4672
            - equals.winlog.event_id: 4698
            - equals.winlog.event_id: 4700
            - equals.winlog.event_id: 4720
            - equals.winlog.event_id: 4723
            - equals.winlog.event_id: 4725
            - equals.winlog.event_id: 4727
            - equals.winlog.event_id: 4728
            - equals.winlog.event_id: 4731
            - equals.winlog.event_id: 4732
            - equals.winlog.event_id: 4735
            - equals.winlog.event_id: 4740
            - equals.winlog.event_id: 4741
            - equals.winlog.event_id: 4754
            - equals.winlog.event_id: 4756
            - equals.winlog.event_id: 4767
            - equals.winlog.event_id: 4768
            - equals.winlog.event_id: 4771
            - equals.winlog.event_id: 4776
            - equals.winlog.event_id: 4780
            - equals.winlog.event_id: 4782
            - equals.winlog.event_id: 4798
            - equals.winlog.event_id: 4799

Hello && Welcome @febelus1

I haven’t used Auditbeat For Graylog yet, but from from I get you may have to adjust your Sidecar configurations. I noticed your only collecting critical, error, warning on specific categories in event viewer. For troubleshooting have you tried just sending logs using Auditbeat without fine tuning what you want, and what messages should be dropped?, if so did it work?
Have you check the log files on this Windows Device? have you check the logs on Graylog server?

To help you further, can you describe your setup?

For Auditbeat - did you make sure your C:\Program Files\Graylog\sidecar\sidecar.yml has told the system where to find auditbeat.exe?


    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.