I actually have a bunch of questions… about to pull my hair out with this thing.
I setup NXLog to forward windows server logs to graylog - which worked, somewhat anyway - not sure what all data it was forwarding but I had a LOT of data went from 250mb/day from Unifi to 1.5gb/day which is a bit extreme.
So I looked to see what I could do to filter what was coming in - it seems Solarwinds has a free forwarder that will filter out what I want to see or don’t - trouble with that is I don’t know what I want to see or what options to check.
Is there a good way to forward logs from windows server to graylog? And then what logs should I be sending/receiving - I know that’s up to me, but I have no clue what logs I want to see so any suggestions in that area would be super. Currently doing this on NPS server - Win server 2016 I believe
I believe I have some of that sorted out - although I don’t see “NPS” anywhere in the list of items to filter…
Regardless - I’m getting a bunch of event 5152 - the windows filtering platform blocked a packet, and there is a number of them. I found an article on microsoft but it doesn’t really help me to know what to do or not do about this.
Is this something I should ignore? Or try to filter out?
I put a post together here that talks a little about tracking windows events. There is more I have behind that with posts on the pipeline and rules I am using, some of which is searchable in the forums.
The Windows Ultimate Security Encyclopedia is a good place to start for what to look for in EventID’s They have a cheat sheet you can pick up there that has some core EventIDs to watch.
I use the Beats log shipper on windows and there are some things you can do to exclude or remove data/messages before the message gets shipped to Graylog. NXlog does that too… I am unfamiliar with it though.
That’s a start - ask any question you want - likely best to start new questions when appropriate so the solutions are searchable for future users. 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.