How can I configure Graylog 4 so that only authentication [ success/failure] logs are stored in disk

I have a few windows and SLES servers. I only want to collect authentication logs. I can customize rsyslog in SLES but in windows, all logs are being captured, How can I configure Graylog 4 so that only authentication [ success/failure] logs are stored in disk and the rest all logs are discarded.

You will need to use pipelines and drop unwanted messages

You can tell the windows collector which things you want to include or exclude - here is an example from one of the Beats configurations I have. I don’t have any nxlog examples but I am sure it is possible. The include/exclude statements parse via regex style (more detail here):

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${user.BeatsInput}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, exchange, filebeat, OWA, e-mail, rpc, activesync
filebeat:
  inputs:
##### find owa logon and logoff but not when the HealthMailbox does it.
    - type: log
      enabled: true
      include_lines: ['auth.owa', 'logoff.owa', 'ClientDisconnect']
      exclude_lines: ['HealthMailbox','^#']
      fields:
        unique_log_tag: OWA
      ignore_older: 72h
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.LOG
#
##### find RPC/HTTP logins but still not the HealthMailbox and not internal
    - type: log
      enabled: true
      include_lines: ['Exchange.asmx']
      exclude_lines: ['HealthMailbox','^#','^DateTime','AnchorMailboxHeader-SMTP','10.143.[0-9]+.[0-9]+']
      fields:
        unique_log_tag: rpc_http
      ignore_older: 72h    
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews\*.LOG
#
##### find Activesync logins but still not the HealthMailbox
    - type: log
      enabled: true
#     include_lines: ['Microsoft-Server-ActiveSync','NewConnection=']
      include_lines: ['NewConnection=']
      exclude_lines: ['localhost','^#','^DateTime',',OPTIONS,']
      fields:
        unique_log_tag: activesync
      ignore_older: 72h    
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Eas\*.LOG

If you want to pull all of the logs and separate the success/failure logs then streams are the easiest route.
You can easily pull all of the logs and route the rest into an index that rotates more frequently with the success/failure routed into a different index.

This example pulls logs based on Active Directory failed logon event IDs.

Screenshot from 2021-01-22 11-46-46

A couple of notes to that:

  • 4625 is a logon failure and you can parse out the failure reason and logon type by taking the codes, putting them in a Lookup Tables and injecting them into the message. (Failure Reasons Here)

  • 4740 Notes that account was locked out

  • 4771 Kerberos pre-authentication failure might be interesting. (Info Here) (Result codes can be placed in Lookup table as well )

If anyone is interested I can post/send table data.

Hi @tmacgbay
I think a lot of peolple would be interested on table, as we all using AD services, please post.

Created a new post with the relevant tables here.