First, I’d like to say that Graylog is awesome and I’ve been using it to collect syslog for a long time. However, in the recent past I’ve been struggling to get Windows events to arrive at the Graylog server successfully. I’ve used some Windows Events to syslog forwarders, but since our AD servers are collecting logs from all of the Windows hosts, I was only getting messages from the servers but it wouldn’t separate them into the workstations as the source of the event. I’ve been trying to get the sidecar collector to work with NXLOG on an AD server, but am having limited success. I tried to follow the writeup on the old Graylog documentation site, but during the instructions it took a left turn and went from NXLOG to Beats setup and never completed the setup for NXLOG. Is there someone who has documented each step on how to get Windows Events collected on an AD server from various workstations to send those into Graylog using the sidecar collector and had it separate out the workstations as sources? I’m probably making this much more complicated than it has to be, but I think I need someone to hold my hand at least for the basic setup and I can get granular from there.
I could even skip the sidecar configuration and just keep the nxlog.conf file local to each server. Even when I try that, I still can’t get the individual machines as source computers when inputting to Graylog. All messages appear to come from the one AD server
That was going to be my next move since we can deploy with PDQDeploy or
other means. I was trying to minimize the installation but I probably could
have been done with all the time I have spent messing with it. Sometimes I
just want to figure something out. Of course, the sidecar process is
supposed to make upkeep and changes easier from a central place.
If you use the normal Windows event forwarding mechanism, the events appear in the “Forwarded Events” queue. It is easy to grab that with nxlog, but the source field is then the event collectors name. To get the proper source, you can find the original source in the message, create an extractor for the input that overwrites the source field in Graylog.