I need help with connecting my firewalls to graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
i am having issues with being able to see logs after creating the input for the firewall at port 5044. I enabled the port on the graylog server but it’s still not showing anything, and the sidecar isn’t showing anything as well after setting them up. I have a computer setup with sidecar.

2. Describe your environment:

• OS Information:
  Windows 11

• Package Version: Graylog ver 5.2.6

• Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I finished creating my graylog server, created an input called “firewall” running on port 5044, but no messages are showing and setup up a sidecar with a file beat for windows, but still not messages are showing. I enabled port 5044 on my windows device and it’s still not working.

4. How can the community help?
Anything will help, thanks

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hey @NEW2GRAY

Does Graylog see you Graylog-sidecar in the Web UI? The sidecar you connected to should show “running” state.

If not, can you show your sidecar configurations?

Hey, my sidecar for the web ui is connected,

Graylog SideCar1876×49 3.98 KB

another image of the filebeat I created for it,

SideCar Administration1894×380 17.3 KB

@gsmith

I am also getting this on my computer that I setup the sidecar for, does this mean anything?

image915×157 3.55 KB

Hey @NEW2GRAY

By chance are you using a Beat INPUT type for FileBeat?

Make sure Graylog-sidecar has permissions to enter you system32 folder.

Have you tried another log file besides pfirewall? Perhaps something that not in windows system folder?

Yeah I was trying to use beat input, how can I double check to make sure to sidecar can access my system32 folder. Give it perms? @gsmith

I tried using syslog and nxlog to get the systemlogs but after configuring it also didn’t work

Hey

This is a Windows security but the easiest way would be if you can configure firewalls log file outside of the folder “system32” . Or you need to set permission for FileBeat to access System32 folder which might not be good for security reasons.

https://answers.microsoft.com/en-us/windows/forum/all/write-permission-in-system32-folder/a15824e2-8545-4a93-b1d0-1f0110c28c32

Not sure what kind of firewall this is on Windows but usually when a service is installed it should register in Windows Event Viewer in which Winlogbeat should be able to access.

Would it be fine if I pulled out the log file outside of system 32, would that change the way my firewall operates?

My sysmon shows up in event viewer

image1366×275 21.2 KB

Do the Filebeat logs give any further insight, they should be in the generated folder within the Sidecar install location.

Nothing it’s not showing anything in the filebeat logs for my sidecar

image1830×703 8.39 KB

@NEW2GRAY On the windows host to which you installed Sidecar, in the installation folder of Sidecar there should be a folder called generated. Under there will be the log output of the filebeat instance running, this might give some indication as to the issue.

C:\Program Files\Graylog\sidecar\generated\

theres 2 files in the generated which should i look at?

Hey,

Can you explain what this firewall you have on Windows? I assume its not there by default? Windows Syste32 folder is for your OS so you need privileges to read/write.

It should just be windows defender

Hey,

If its Defender logs

In Event Viewer, expand the “Windows Logs” folder on the left-hand side.
Click on “Microsoft-Windows-Windows Defender/Operational” to view the Windows Defender operational logs.

That would be the path for you firewall logs which Winlogbeat can get.

EDIT:

image1118×357 44 KB