longish-term ELK user, attempting to evaluate Graylog. I really like what I see and the dashboards + the prebuilt json to pull in Office 365 logs for longer than MS’s default 90 days are real winners.
I’ve built Graylog + Elastic + Mongo on Ubuntu 19 following the installation guide. Everything is working happily.
If I go to inputs I can see the beats input I’ve created. It’s listening and receiving messages from the test Domain Controller on which I’ve installed Sidecar. It has the API key, the correct IP etc.
In/Out at the top-right shows about: In 1200-1500 / Out 0 msg/s
Throughput / Metrics
1 minute average rate: 1,413 msg/s
Network IO: 320.5KB 0B (total: 522.3MB 10.4KB )
Active connections: 1 (1 total)
Empty messages discarded: 0
I’ve gone to Sidecars in the Graylog UI and added a collector called Winlogbeat_Domain_Controllers which tells the winlogbeat settings for sidecar to only collect the security logs.
The WinlogBeat_Domain_Controllers is marked Running for the Domain Controller.
There’s no filters configured…
Overview is all in the green. No Journal issues.
The DC appears to be sending in data, but I can’t see it! And thus my lovely Active Directory dashboard is feeling sad and unloved with zero stats…
Any thoughts, please chaps?