Graylog message has display hyphen "-"

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
i collected log from my window DC by sidecar latest version (before winlogbeat)
but in input, message only display hyphens “-” , and message extend aslo display full content of message.
image

image
image883×501 27.8 KB

how can i fix this?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hello @ducna09

Thanks for the screen shot.
I have seen this before when there is an extractor or pipeline being used. This may have something to do with the shipper.

3

i considering graylog or sidecar, but doesn’t have any log :((

4

Hello,

I can help you further but more information is need. If your unsure please post.

5

Hi my friend,
graylog version: 4.0.6+40b7be5
sidecar version: latest
window to log center: window server 2019

6

What does your Winlogbeat configuration look like? Or is it default?
Do you have any extractors or pipeline configuration for this input? If so how are they configured.

7

here is my config sidecar.

image
image975×315 60.9 KB

i dont have any exatroctors.

8

hello,

Ok I see your using Windows Forwarded events. So I assume that this windows device is the middle man for transporting logs files. If this is correct, Check the log/s for a message body. When you see "-" in a field, Elasticsearch could not identify it to place data in that field OR it was remove by other means configured in Graylog.

Example in this picture below, this shows Cut is enabled. What is does is remove data from the field, but since you stated you don’t have extractors or pipelines we probably can rule that out.

image
image1276×204 14.2 KB

For testing purposes have you tried sending other logs instead of Forwarded events. This would give us a clearer idea what’s going on. Perhaps something like this…

tags:
 - windows
winlogbeat:
  event_logs:
   - name: Forwarded Events
   - name: System

If you do get data in the message field, using that config, Then we can look at the origin from where the logs are being sent. If not then we can look more into Graylog instance.

9

when i collect another log , for example: system log, it’s didn’t show hyphens

image (1)
image.
but message in ForwardedEvent maybe correctly.

photo_2022-10-31_11-43-19
photo_2022-10-31_11-43-191222×786 131 KB

10

Hello,

Ok this is weird, Windows System Events seam to work but your Forwarded Events do not.
Thanks for testing that, So this leads use to the messages/logs in Forwarded Events.

So something is funky with the Forwarded Events logs. For example, here is my lab, BUT this is not a Forwarded Events…

image
image1347×796 38.9 KB

Next Question, The Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server, in this case Its Graylog. Since I have not used this type of configuration, I would imagine that the logs are formatted in such a way that Elasticsearch cant find a “message” field " in those message. So it places "-"

EDIT: After reading over Microsoft (WEF) Have you tried using Graylog-Sidecar to pull the events you want instead of using Windows Forwarding?

11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.