I can't see winlogbeat logs

Graylog Central (peer support)
, ,
1

I’ve launched a new Beats input:

bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source:
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password:********

I’ve installed/enabled/started graylog-sidecar-1.1.0-1.x86_64.rpm on rhel 8.3
I’ve created a new token
I’ve edited sidecar.yml:

server_url: “http://ipgraylog:9000/api/
server_api_token: “tokencreated”
tls_skip_verify: true

I’ve open port udp 5044: firewall-cmd --add-port=5044/udp --permanent
I’ve created a new sidecar configuration:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: [“ipgraylog:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

  • windows
    winlogbeat:
    event_logs:
    • name: Application
    • name: System
    • name: Security

I’ve installed graylog_sidecar_installer_1.1.0-1.exe on my pc windows 10 with command:
“\share\Sidecar_1.1.0-1.exe” /S -SERVERURL=http://ipgraylog:9000/api -APITOKEN=tokencreated
“C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service install
“C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service start

I’ve selected winlogbeat of my pc w10 on sidecar/administrator and linked it with collector created previously and started it.
But in sidecars/overview if I click on show messages of my pc W10, its empty.

What am I doing wrong?

Thank you

2

If you use the forum tools like </> for formatting your code in posts will be much easier to read. The sidecar configuration is particular about spacing so that will help people reviewing your post to see possible errors. There are log on the sidecar client windows machine, you can start there and see if it is trying to connect but can’t? C:\Program Files\Graylog\sidecar\logs

3

Sorry for formatting code wrong.
I tried to install the sidecar on other pc w10, this is the log:

time="2021-06-11T16:14:48+02:00" level=info msg="Starting signal distributor" 
time="2021-06-11T16:14:58+02:00" level=info msg="No configurations assigned to this instance. Skipping configuration request." 
time="2021-06-11T16:15:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T16:15:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:15:59+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-11T16:16:09+02:00" level=info msg="Collector [winlogbeat] is already running, skipping start action."

Other configuration with correct formatting:
Input Beats:

bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

/etc/graylog/sidecar/sidecar.yml
``
server_url: “http://172.19.1.125:9000/api/
server_api_token: “1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo”
tls_skip_verify: true

Sidecar configuration:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: [“172.19.1.125:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

  • windows
    winlogbeat:
    event_logs:
    • name: Application
    • name: System
    • name: Security
      event_id: -4662

Also on the second test pc I don't see any recorded logs
4

I have only now seen that a configuration is entered as text, the Sidecar configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["172.19.1.125:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
5

On the win10 machine your initial C:\Program Files\Graylog\sidecar\sidecar.yml needs to point back to the Graylog server. For instance, this is what mine looks like:

server_url: http://GraylogServer:9000/api/
server_api_token: "<<SuperSecretCode>>>" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml

If you change it, restart the Windows service. That should have the Win10 machine show up in Graylog for you to apply your configuration to it. When all that is happening, the Win10 machine should update it’s logs saying it changed the configuration.

6

This is my sidecar configuration on W10

server_url: "http://172.19.1.125:9000/api"
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: false
send_status: true

On graylog I already see the computer w10

graylog
graylog1890×431 60.4 KB

But if I click on “Show messages”, I don’t see log

7

It is my guess that you need to (at least) add in the winlogbeat backends section to your configuration so the client can tell the server that it is using beats (rather than nxlog or something else…) - match what mine has listed… you don’t need the auditbeats or filebeat sections unless you plan to use them in the future… you can set them to enabled:false until such time.

There are a few other lines you ought to add such as telling it where to put log files etc. You could even copy mine and just put in your unique server_url and server_api_token

8

I copied and edited your configuration.

server_url: http://172.19.1.125:9000/api/
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml

I restart the service:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service stop
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

I tried to restart the sidecar
But the log its empty

9

Are there any files C:\Program Files\Graylog\sidecar\logs? That is where the client will put information about what it is doing.

10

Yes, there are winlogbeat e winlogbeat.1.
This is the first part of winlogbeat:

2021-06-15T09:55:19.638+0200	INFO	instance/beat.go:660	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2021-06-15T09:55:19.643+0200	INFO	instance/beat.go:668	Beat ID: 52a46660-9a8e-4239-851b-89030593cd38
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:996	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "winlogbeat", "uuid": "52a46660-9a8e-4239-851b-89030593cd38"}}}
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:1005	Build info	{"system_info": {"build": {"commit": "9b2fecb327a29fe8d0477074d8a2e42a3fabbc4b", "libbeat": "7.11.1", "time": "2021-02-15T13:07:49.000Z", "version": "7.11.1"}}}
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:1008	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.14.14"}}}
2021-06-15T09:55:19.758+0200	INFO	[beat]	instance/beat.go:1012	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-06-10T22:31:29.06+02:00","name":"NOMEPC","ip":["fe80::8525:4020:f8f3:558/64","172.19.5.71/21","fe80::c566:3699:5157:f351/64","169.254.243.81/16","fe80::46f:a03f:f677:856e/64","172.24.16.1/20","172.19.4.97/21","fe80::ccd2:d277:fd0f:9947/64","169.254.153.71/16","fe80::6b:abe9:d1ea:7b7d/64","169.254.123.125/16","::1/128","127.0.0.1/8","fe80::f902:62d8:e744:6214/64","172.22.48.1/20","fe80::cd2f:cda3:5c38:b428/64","172.25.240.1/20"],"kernel_version":"10.0.19041.906 (WinBuild.160101.0800)","os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19042.906"},"timezone":"CEST","timezone_offset_sec":7200,"id":"9f804622-dfa9-4ad4-b3c8-b988c1517bb0"}}}
11

Today I saw also winlogbeat.2 e .3 and I saw in sidecar.log this error:

time="2021-06-16T08:31:38+02:00" level=error msg="[UpdateRegistration] Failed to report collector status to server: Put \"http://172.19.1.125:9000/api/sidecars/7887d881-62d7-468e-ac26-874eb7d2e41b\": dial tcp 172.19.1.125:9000: i/o timeout" 
time="2021-06-16T08:31:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-16T08:31:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-16T08:32:01+02:00" level=info msg="[winlogbeat] Starting (svc driver)"
12

Sidecar can’t connect to the server (timeout) - is the IP correct? Double check configuration details… Do you have any firewalls or the like in the way? Can you ping 172.19.1.125 from the Win10 machine

This is what you should see in your sidecar.log:

time="2021-06-11T10:14:33-04:00" level=info msg="Starting signal distributor" 
time="2021-06-11T10:14:43-04:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T10:14:43-04:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T10:14:44-04:00" level=info msg="[winlogbeat] Starting (svc driver)"
13

It’s correct, the error “Failed to report” there is only when I’m disconnected from the network.
I tried with the other Windows 10 always on network (vm).
I edit the sidecar.yml:

server_url: http://172.19.1.125:9000/api/
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml

I restarted the service graylog-sidecar:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service stop
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

This is the log:

time="2021-06-11T16:14:48+02:00" level=info msg="Starting signal distributor" 
time="2021-06-11T16:14:58+02:00" level=info msg="No configurations assigned to this instance. Skipping configuration request." 
time="2021-06-11T16:15:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T16:15:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:15:59+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-11T16:16:09+02:00" level=info msg="Collector [winlogbeat] is already running, skipping start action." 
time="2021-06-11T16:30:21+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:30:22+02:00" level=info msg="[winlogbeat] Stopping" 
time="2021-06-11T16:30:22+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-17T08:50:59+02:00" level=info msg="Stopping signal distributor" 
time="2021-06-17T08:50:59+02:00" level=info msg="[winlogbeat] Stopping" 
time="2021-06-17T08:51:02+02:00" level=info msg="Starting signal distributor" 
time="2021-06-17T08:51:13+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-17T08:51:13+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-17T08:51:15+02:00" level=info msg="[winlogbeat] Starting (svc driver)"

I’ve the files winlogbeat in “C:\Program Files\Graylog\sidecar\logs” but on graylog the log its empty.

I checked the last log on graylog server (/var/log/graylog-server/server.log) because the graylog-sidecar is empty (there is only 2 old record)

2021-06-17T09:00:16.564+02:00 WARN  [RestClient] request [GET http://127.0.0.1:9200/graylog_0/_mapping] returned 1 warnings: [299 Elasticsearch-7.13.1-9a7758028e4ea59bcab41c12004603c5a7dd84a9 "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.13/security-minimal-setup.html to enable security."]
14

If you are disconnected from the network, you aren’t going to get logs… :crazy_face:

In the next log instance you are showing… where you are connected … you are getting this:

... "No configurations assigned to this instance. Skipping configuration request." ...

Which means you have not assigned a configuration to that win10 machine under Sidecars Administration. It is there you have to manually tell Graylog to apply a configuration to the client - it is then sent to the client and it starts reporting per what the configuration says.

Under Sidecars/Collectors/Administration, find the Win10 machine. Click the check mark to the left of Winlogbeat (or whichever you want to assign a configuration to) then on the right side pull down the Configure Menu and assign the configuration.

15

Everything is already like this

Collector administation
Collector administation1879×446 42 KB

16

And the collector it’s running
sidecar

17

Any luck with it? From waht I can see the configurations you posed look correct - not sure why you aren’t receiving anything - if you find the issue, please post it!

18

I don’t know if I did something wrong during the installation, here is the procedure I followed, can you see if I did everything right?
Install a vm with RHEL 8.3

yum update
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum -y install wget pwgen yum-utils dpkg java-1.8.0-openjdk-headless
nano /etc/yum.repos.d/mongodb-org.repo

[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc

yum install -y mongodb-org
systemctl daemon-reload
systemctl enable mongod
systemctl start mongod

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
nano /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

yum install -y elasticsearch
nano /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog
action.auto_create_index: false

systemctl daemon-reload
systemctl enable elasticsearch
systemctl restart elasticsearch
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm
yum install -y graylog-server
pwgen -N 1 -s 96
echo -n yourpassword | sha256sum
nano /etc/graylog/server/server.conf

password_secret = firstkeygenerated (pwgen -N 1 -s 96)
root_password_sha2 = secondkeygenerated (echo -n yourpassword | sha256sum)
root_email = mymail
root_timezone = Europe/Rome
http_bind_address = 172.19.1.125:9000
is_master = true
elasticsearch_shards = 1
elasticsearch_replicas = 0

systemctl daemon-reload
systemctl enable graylog-server
systemctl start graylog-server

firewall-cmd --add-port=9000/tcp --permanent
firewall-cmd --add-port=1514/udp --permanent
firewall-cmd --reload

For install sidecar I follow these steps:

wget https://github.com/Graylog2/collector-sidecar/releases/download/1.1.0/graylog-sidecar-1.1.0-1.x86_64.rpm
rpm -i graylog-sidecar...rpm
graylog-sidecar -service install
systemctl enable graylog-sidecar
systemctl start graylog-sidecar

web interface: System-->Sidecars-->"Create or reuse a token for the graylog-sidecar use"
Token name: Windows-->Create token
nano /etc/graylog/sidecar/sidecar.yml

server_url: "http://172.19.1.125:9000/api/"
server_api_token: "createdtoken"
tls_skip_verify: true

systemctl start graylog-sidecar
firewall-cmd --add-port=5044/udp --permanent
firewall-cmd --reload

web interface: System-->Input-->Beats-->Launch new input-->Title: Sidecar-->Save
web interface: System-->Sidecars-->Configuration-->Edit winlogbeat-->Default Template-->hosts: ["172.19.1.125:5044"]
web interface: System-->Sidecars-->Create Configuration

Name:windows_sidecar
Change color
Collector: winlogbeat on Windows
Create

Install the agent on pc windows:

1.1.0-1.exe /S -SERVERURL=http://172.19.1.125:9000/api -APITOKEN=createdtoken
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

web interface: System-->Sidecars-->Administration
Select winlogbeat for each pc windows
Configure-->windows_sidecar-->Confirm
Process-->Start-->Confirm
19

Here is what I see in my win10 machine C:\Program Files\Graylog\sidecar\logs folder on a clean initial start. You can stop the win10 service, clear the logfiles directory and start up again - perhaps compare with what I have here. The last line in winlogbeat is where it sent events into Graylog “successfully published 21 events” you should have all the log lines similarly to mine leading up to that the any thing missing is likely a clue as to something you are missing. If you are getting all the way to it publishing events (may take a minute) then it is somethign in Graylog that is not receiving correctly.

sidecar.log:

time="2021-06-22T10:06:14-04:00" level=info msg="Starting signal distributor" 
time="2021-06-22T10:06:24-04:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-22T10:06:24-04:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-22T10:06:24-04:00" level=info msg="[winlogbeat] Starting (svc driver)"

winlgobeat.log

2021-06-22T10:06:24.519-0400	INFO	instance/beat.go:660	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2021-06-22T10:06:24.521-0400	INFO	instance/beat.go:668	Beat ID: ad8zzzfc-x0x0-42fd-8acc-4960c08abfc0
2021-06-22T10:06:24.521-0400	INFO	[beat]	instance/beat.go:996	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "winlogbeat", "uuid": "ad8ef7fc-x0x0-22ed-8acc-4960c08abfc0"}}}
2021-06-22T10:06:24.521-0400	INFO	[beat]	instance/beat.go:1005	Build info	{"system_info": {"build": {"commit": "9b2fecb327a29fe8d0411114d8a2e42a3ftyyt4b", "libbeat": "7.11.1", "time": "2021-02-15T13:07:49.000Z", "version": "7.11.1"}}}
2021-06-22T10:06:24.521-0400	INFO	[beat]	instance/beat.go:1008	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.14.14"}}}
2021-06-22T10:06:24.527-0400	INFO	[beat]	instance/beat.go:1012	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-06-21T08:16:01.92-04:00","name":"MY-ADMIN-WORKSTATION","ip":["fe80::cda:a7b4:43e0:943f/64","10.33.33.33/16","192.168.71.55/24","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1052 (WinBuild.160101.0800)","mac":["00:ff:f4:35:65:22","34:17:eb:qw:15:87"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"22.22"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"5036eb30-cf6d-4581-867d-70401d478809"}}}
2021-06-22T10:06:24.527-0400	INFO	[beat]	instance/beat.go:1041	Process info	{"system_info": {"process": {"cwd": "C:\\WINDOWS\\system32", "exe": "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 12356, "ppid": 1000, "start_time": "2021-06-22T10:06:24.438-0400"}}}
2021-06-22T10:06:24.527-0400	INFO	instance/beat.go:304	Setup Beat: winlogbeat; Version: 7.11.1
2021-06-22T10:06:24.527-0400	INFO	[publisher]	pipeline/module.go:113	Beat name: MY-ADMIN-WORKSTATION
2021-06-22T10:06:24.527-0400	INFO	beater/winlogbeat.go:69	State will be read from and persisted to C:\Program Files\Graylog\sidecar\cache\winlogbeat\data\.winlogbeat.yml
2021-06-22T10:06:24.528-0400	INFO	instance/beat.go:468	winlogbeat start running.
2021-06-22T10:06:24.528-0400	INFO	[monitoring]	log/log.go:117	Starting metrics logging every 30s
2021-06-22T10:06:25.549-0400	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(async(tcp://MY-GRAYLOG-SERVER:5044))
2021-06-22T10:06:25.549-0400	INFO	[publisher]	pipeline/retry.go:219	retryer: send unwait signal to consumer
2021-06-22T10:06:25.549-0400	INFO	[publisher]	pipeline/retry.go:223	  done
2021-06-22T10:06:25.556-0400	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(async(tcp://MY-GRAYLOG-SERVER:5044)) established
2021-06-22T10:06:25.559-0400	INFO	beater/eventlogger.go:88	EventLog[Security] successfully published 21 events
...

winlogbeat.1

2021-06-22T10:06:24.418-0400	INFO	instance/beat.go:660	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2021-06-22T10:06:24.419-0400	INFO	instance/beat.go:668	Beat ID: ad8ef7fc-0a4d-42fd-8acc-4960c08abfc0
2021-06-22T10:06:24.419-0400	INFO	[beat]	instance/beat.go:996	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "winlogbeat", "uuid": "ad8ef7fc-0a4d-42fd-8acc-4960c08abfc0"}}}
2021-06-22T10:06:24.419-0400	INFO	[beat]	instance/beat.go:1005	Build info	{"system_info": {"build": {"commit": "9b2fecb327a29fe8d0477074d8a2e42a3fabbc4b", "libbeat": "7.11.1", "time": "2021-02-15T13:07:49.000Z", "version": "7.11.1"}}}
2021-06-22T10:06:24.419-0400	INFO	[beat]	instance/beat.go:1008	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.14.14"}}}
2021-06-22T10:06:24.424-0400	INFO	[beat]	instance/beat.go:1012	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-06-21T08:16:01.91-04:00","name":"MY-ADMIN-WORKSTATION","ip":["fe80::cda:a7b4:43e0:943f/64","169.254.148.63/16","192.168.2.182/23","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1052 (WinBuild.160101.0800)","mac":["00:ff:f1:35:65:63","34:17:eb:cd:15:87"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1052"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"5036eb30-cf6d-4581-867d-70401d478809"}}}
2021-06-22T10:06:24.424-0400	INFO	[beat]	instance/beat.go:1041	Process info	{"system_info": {"process": {"cwd": "C:\\WINDOWS\\system32", "exe": "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 8396, "ppid": 7296, "start_time": "2021-06-22T10:06:24.216-0400"}}}
2021-06-22T10:06:24.424-0400	INFO	instance/beat.go:304	Setup Beat: winlogbeat; Version: 7.11.1
2021-06-22T10:06:24.425-0400	INFO	[publisher]	pipeline/module.go:113	Beat name: MY-ADMIN-WORKSTATION
2021-06-22T10:06:24.425-0400	INFO	beater/winlogbeat.go:69	State will be read from and persisted to C:\Program Files\Graylog\sidecar\cache\winlogbeat\data\.winlogbeat.yml
20

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.