I am new with Graylog and just wondering how to search for Success or Fail Windows Logons ?
Thanks for your help,
This is definitely doable, but without more information on what you’ve already done from both a Graylog perspective and a log shipper perspective, we’d have a hard time helping and most likely end up wasting everyone’s time.
hmm, i thought it was just a search query… 
It is… but you need to realize that we have no idea what the state of your setup is or how you are parsing your logs… it may be as easy as searching for
Event-id:4624
Or you may have done zero parsing and it’s more involved.
Which is why we tend to ask for more information.
You are correct… it’s just as simple as a query… assuming everything is up and running… 
@gerf - Are you currently receiving windows security logs that contain logon failure? If so its searching for the right eventID’s If you are starting from scratch with tracking windows logs, there are possibly changes you need to make in AD, maybe choices to make in sidecars (beats/nxlog) and configurations to set up therin. Inputs to create to receive them into graylog… If you are more specific on where you are on your process, the community can be more specific on how to help you along with your own research on how to do it… Use Google, in general and against the community posts. Look at the the graylog marketplace, there is information posted in there (I know because I posted it!) Good luck!
Thanks, our graylog is configured correctly. I know we are getting logs. I am new on this, and I wondered how I am going to query a user for xyz event ID. In powershells you can do it but takes forever parsing the windows security log. Oukayyyy. Thank you…
Nothing to go on. Are you receiving windows security info into Graylog? is it nxlog/beats?
I have seen nxlog service and i see the service running
If you want someone to hold your hand, consider paid support. If you want help here, you will have to do some research and give way more detail.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.