Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
i collected log from my window DC by sidecar latest version (before winlogbeat)
but in input, message only display hyphens “-” , and message extend aslo display full content of message.
What does your Winlogbeat configuration look like? Or is it default?
Do you have any extractors or pipeline configuration for this input? If so how are they configured.
Ok I see your using Windows Forwarded events. So I assume that this windows device is the middle man for transporting logs files. If this is correct, Check the log/s for a message body. When you see "-" in a field, Elasticsearch could not identify it to place data in that field OR it was remove by other means configured in Graylog.
Example in this picture below, this shows Cut is enabled. What is does is remove data from the field, but since you stated you don’t have extractors or pipelines we probably can rule that out.
For testing purposes have you tried sending other logs instead of Forwarded events. This would give us a clearer idea what’s going on. Perhaps something like this…
tags:
- windows
winlogbeat:
event_logs:
- name: Forwarded Events
- name: System
If you do get data in the message field, using that config, Then we can look at the origin from where the logs are being sent. If not then we can look more into Graylog instance.
Ok this is weird, Windows System Events seam to work but your Forwarded Events do not.
Thanks for testing that, So this leads use to the messages/logs in Forwarded Events.
So something is funky with the Forwarded Events logs. For example, here is my lab, BUT this is not a Forwarded Events…
Next Question, The Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server, in this case Its Graylog. Since I have not used this type of configuration, I would imagine that the logs are formatted in such a way that Elasticsearch cant find a “message” field " in those message. So it places "-"
EDIT: After reading over Microsoft (WEF) Have you tried using Graylog-Sidecar to pull the events you want instead of using Windows Forwarding?