Instead of setting it as the program files/system32/logfiles right, I would set it as the Windows windows defender/operational. does it have to do anything with the ports not being enable on the server aswell?
Incorrect,
You would use Winlogbeat, something like this in your configuration.
output.logstash:
hosts: [“Graylog_ip_addresss:5044”]
path:
data: C:\Program files\Graylog\sidecar\generated\6622d69439fc515d2219e98d\data
logs: C:\Program Files\Graylog\sidecar\generated\6622d69439fc515d2219e98d\logs
tags:
-default
winlogbeat.event_logs:
name: Microsoft-Windows-Windows Defender/Operational
This is found here
where is that conf file located?
Hey,
This would be in Graylogs Web UI
That is found here
https://go2docs.graylog.org/5-0/getting_in_log_data/set_up_sidecar_collectors.htm
ok let me first take a look at the event viewer defender ill send a screenshot over
the event viewer is for the device I installed the on my desktop as the sidecar correct?
You can also check out this documentation.
The reason I’m tell you this is system 32 has you operation system drivers, etc…
Please read the documentation on Graylog sidecar I posted and the example above for windows. It pretty much the same as FileBeat except your using the Windows template instead of FileBeat template and a couple different settings
alright 
, you will still be on? if i have any question?
Im at work you have an hour LMAO
Hey,
Yes like i showed you above.
just want to double check the long code after \generated is the api token of the sidecar correct?
Are you referring to API token for your sidecar?
yeah, or is what you typed the exact thing im entering for the paths
If you have the sidecar already working you should be good, your attaching the windows Sidecar template to you device.
Template.
theres isnt any logs showing