Hi everyone, first of all thanks for your support my question is.
How can i collect logs from custom location in windows? for example, audit logs for MSSQL, or another application.
Here’s my actual config.
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
windows
name: Application
name: System
name: Security
Thanks in advice
If you do not have the logs in the Windows events, you must use Filebeat or Nxlog.
1 Like
jan
September 25, 2019, 6:07am
3
as winlogbeat is only getting the messages from windows event log, you need to configure filebeat to get specific logfiles.
thanks for the answer, i try to configure filebeat but without results.
this is my config
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
windows
C:\ProgramData\Veeam\Endpoint*log
and the logs
2019-09-26T16:56:03.187-0500 INFO instance/beat.go:544 Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\filebeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2019-09-26T16:56:03.203-0500 INFO instance/beat.go:551 Beat UUID: 3900d37a-da41-43dd-863e-93b0938caaa8
2019-09-26T16:56:03.203-0500 INFO [beat] instance/beat.go:768 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "filebeat", "uuid": "3900d37a-da41-43dd-863e-93b0938caaa8"}}}
2019-09-26T16:56:03.203-0500 INFO [beat] instance/beat.go:777 Build info {"system_info": {"build": {"commit": "e193f6d68b25b7ddbe3a3ed8d60bc07fea1ef800", "libbeat": "6.4.2", "time": "2018-09-26T12:41:59.000Z", "version": "6.4.2"}}}
2019-09-26T16:56:03.203-0500 INFO [beat] instance/beat.go:780 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.3"}}}
2019-09-26T16:56:03.214-0500 INFO [beat] instance/beat.go:784 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-09-09T17:46:29.73-05:00","hostname":"SqlServer232","ips":["fe80::d60:3acc:e66d:6806/64","192.168.0.232/24","::1/128","127.0.0.1/8","fe80::5efe:c0a8:e8/128"],"kernel_version":"6.3.9600.18589 (winblue_ltsb.170204-0600)","mac_addresses":["00:15:5d:07:59:1f","00:00:00:00:00:00:00:e0"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.18619"},"timezone":"CDT","timezone_offset_sec":-18000,"id":"f893ae12-cf30-4934-8b44-4e24a91706d1"}}}
2019-09-26T16:56:03.214-0500 INFO instance/beat.go:273 Setup Beat: filebeat; Version: 6.4.2
2019-09-26T16:56:03.215-0500 INFO pipeline/module.go:98 Beat name: SqlServer232
2019-09-26T16:56:03.217-0500 ERROR instance/beat.go:743 Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?
system
October 10, 2019, 10:08pm
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
