Help with Windows Server logs

I actually have a bunch of questions… about to pull my hair out with this thing.
I setup NXLog to forward windows server logs to graylog - which worked, somewhat anyway - not sure what all data it was forwarding but I had a LOT of data went from 250mb/day from Unifi to 1.5gb/day which is a bit extreme.
So I looked to see what I could do to filter what was coming in - it seems Solarwinds has a free forwarder that will filter out what I want to see or don’t - trouble with that is I don’t know what I want to see or what options to check.
Is there a good way to forward logs from windows server to graylog? And then what logs should I be sending/receiving - I know that’s up to me, but I have no clue what logs I want to see so any suggestions in that area would be super. Currently doing this on NPS server - Win server 2016 I believe

I believe I have some of that sorted out - although I don’t see “NPS” anywhere in the list of items to filter…
Regardless - I’m getting a bunch of event 5152 - the windows filtering platform blocked a packet, and there is a number of them. I found an article on microsoft but it doesn’t really help me to know what to do or not do about this.

Is this something I should ignore? Or try to filter out?

I put a post together here that talks a little about tracking windows events. There is more I have behind that with posts on the pipeline and rules I am using, some of which is searchable in the forums.

The Windows Ultimate Security Encyclopedia is a good place to start for what to look for in EventID’s They have a cheat sheet you can pick up there that has some core EventIDs to watch.

I use the Beats log shipper on windows and there are some things you can do to exclude or remove data/messages before the message gets shipped to Graylog. NXlog does that too… I am unfamiliar with it though.

That’s a start - ask any question you want - likely best to start new questions when appropriate so the solutions are searchable for future users. :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.