Hello guys…
I‘m panning to implement graylog in an windows enviroment and I‘m a little bit confused with all that different ways to implement…
So I tested allready in a vm a little bit and it worked well… but now i have to rollout on clients…
Sidecar allready includes winbeats plugin right? (want to use it because there are no trobles with reading security log)
how do I deploy it with group policy
Does it really work with Sidecar on a network share and the „ graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken“
I got stuck on this as well.
First, you want to manage the configurations for any collector that is attached to Graylog Sidecar from within Graylog itself (System -> Sidecars -> Configuration). Graylog will handle pushing out the new YAML config and restarting the collector services. Note that I think only Winlogbeat and Filebeat are supported by Sidecar, all other Beats collectors need to be set up manually.
Finally, Just because I also wasn’t able to find a good reference configuration online, here’s a YAML configuration for Winlogbeat for your reference:
# Needed for Graylog
# The nodeName and nodeId variables are needed to correlate logs to their sources
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
# Graylog's Beats input is your "logstash" output in your Beats configuration
hosts: ["127.0.0.1:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
# Each "name" refers to a specific path in Windows Event logs, such as System, Setup, Application, or Security.
# You can define rules specific to each path. Winlogbeat will only log events with you've included by adding a name for them here.
# For example, This configuration only collects Security logs, System logs, and the DNS client logs
# If you want to collect logs for more specific Windows event categories, just browse to them in event viewer and copy the path as a new 'name' entry in this config
- name: Security
ignore_older: 168h
# you can declare multiple processors for any given event category
# in this case we're dropping the full text message field for common security events (as Winlogbeat will include its own fields that contain this data anyway)
processors:
- drop_fields:
when.or:
- equals.event_id: 4624
- equals.event_id: 4634
- equals.event_id: 4625
- equals.event_id: 4648
- equals.event_id: 4768
- equals.event_id: 4658
- equals.event_id: 4776
fields: ["message"]
- name: 'Microsoft-Windows-DNS-Client/Operational'
ignore_older: 168h
processors:
# Here we're dropping all events in this category except event ID 3008
- drop_event.when.not:
and:
- equals.event_id: 3008
- and:
- not.equals.event_data.QueryOptions: '140737488355328'
- not.equals.event_data.QueryResults: ''
- name: System
ignore_older: 168h
processors:
- drop_event.when.not:
or:
- equals.source_name: 'Microsoft-Windows-Eventlog'
- and:
- equals.source_name: 'Microsoft-Windows-GroupPolicy'
- equals.level: Error
- or:
- equals.event_id: 1085
- equals.event_id: 1125
- equals.event_id: 1127
- equals.event_id: 1129
- and:
- equals.source_name: 'Microsoft-Windows-Eventlog'
- equals.level: Information
- equals.event_id: 104
