First, I’d like to say that Graylog is awesome and I’ve been using it to collect syslog for a long time. However, in the recent past I’ve been struggling to get Windows events to arrive at the Graylog server successfully. I’ve used some Windows Events to syslog forwarders, but since our AD servers are collecting logs from all of the Windows hosts, I was only getting messages from the servers but it wouldn’t separate them into the workstations as the source of the event. I’ve been trying to get the sidecar collector to work with NXLOG on an AD server, but am having limited success. I tried to follow the writeup on the old Graylog documentation site, but during the instructions it took a left turn and went from NXLOG to Beats setup and never completed the setup for NXLOG. Is there someone who has documented each step on how to get Windows Events collected on an AD server from various workstations to send those into Graylog using the sidecar collector and had it separate out the workstations as sources? I’m probably making this much more complicated than it has to be, but I think I need someone to hold my hand at least for the basic setup and I can get granular from there.