I’m not receiving windows logs, every time check alert there is exclamation next to graylog gl2_source_collector:35fac341-e225-44cb-8018-9973589a21f5 and says
Unknown field : Query contains unknown field: gl2_source_collector

Here is my configuration

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
fields.source: ${sidecar.nodeName}

output.logstash:
hosts: [“192.168.233.135:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

• windows
  winlogbeat:
  event_logs:
  • name: Application
  • name: System
  • name: Security

Hello && Welcome @rsuthar

What type did you use, beats or beats (legacy) as your input?

I’m using beats 1.2 on graylog 4.3

I was referring to your INPUT being used. The 1.2 is sidecar version but that good to know.

Example:

You may need to post you sidecar.conf.

If you are available, please connect remote any desk. I’m using Beats not beats (deprecated ) it’s lab test before production deployment.

Hey,
my guess is that no log has been received yet.
Therefore the field (gl2_source_collector) is not indexed.

Maybe the command graylog-sidecar -debug will help?

Thanks I will try graylog-sidecar -debug

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.