I’m having an issue with Graylog CE. I have Sidecars configured with Winlogbeat, and everything works correctly when using the default configuration. However, when I add a processors block, I stop receiving logs — even though I’m actively generating the specified events.
Could you please assist? I’m attaching the current Winlogbeat configuration file as well.
Hi!
Your screenshot is a little small but if I understand your configuration correctly you are trying to send specific event IDs only, right? Also, which version are you on?
I’m personally not using processors blocks so I can’t help with that too much. Not sure if it makes a different but the winlogbeat documentation shows this syntax:
I only find older threads with the syntax you provided (which is also in the docs though).
Alternatively you could try filtering like this:
winlogbeat:
event_logs:
- name: Security
ignore_older: 24h
event_id: 4625,4647,4648,4700-4900,-4776
Maybe see if your sidecars start sending logs this way. It works perfectly fine on my end and is a bit simpler.