Implement graylog in windows enviroment

Hello guys…
I‘m panning to implement graylog in an windows enviroment and I‘m a little bit confused with all that different ways to implement…

So I tested allready in a vm a little bit and it worked well… but now i have to rollout on clients…

Sidecar allready includes winbeats plugin right? (want to use it because there are no trobles with reading security log)
how do I deploy it with group policy
Does it really work with Sidecar on a network share and the „ graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL= -APITOKEN=yourapitoken“


& “C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service install
& “C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service start
commands per logon script?

and how can I configure winlogbeat to only log specific event id‘s in the basic config theres only everything (application, system, security etc)

best regards from austria


I got stuck on this as well.
First, you want to manage the configurations for any collector that is attached to Graylog Sidecar from within Graylog itself (System -> Sidecars -> Configuration). Graylog will handle pushing out the new YAML config and restarting the collector services. Note that I think only Winlogbeat and Filebeat are supported by Sidecar, all other Beats collectors need to be set up manually.

Second, You’ll want to write a YAML config for Winlogbeat. Use the ElasticStack documentation as a reference:

Finally, Just because I also wasn’t able to find a good reference configuration online, here’s a YAML configuration for Winlogbeat for your reference:

# Needed for Graylog
# The nodeName and nodeId variables are needed to correlate logs to their sources
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

# Graylog's Beats input is your "logstash" output in your Beats configuration
   hosts: [""]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
# Each "name" refers to a specific path in Windows Event logs, such as System, Setup, Application, or Security.
# You can define rules specific to each path. Winlogbeat will only log events with you've included by adding a name for them here.
# For example, This configuration only collects Security logs, System logs, and the DNS client logs
# If you want to collect logs for more specific Windows event categories, just browse to them in event viewer and copy the path as a new 'name' entry in this config
  - name: Security
    ignore_older: 168h
# you can declare multiple processors for any given event category
# in this case we're dropping the full text message field for common security events (as Winlogbeat will include its own fields that contain this data anyway)
      - drop_fields:
              - equals.event_id: 4624
              - equals.event_id: 4634
              - equals.event_id: 4625
              - equals.event_id: 4648
              - equals.event_id: 4768
              - equals.event_id: 4658
              - equals.event_id: 4776
         fields: ["message"]
  - name: 'Microsoft-Windows-DNS-Client/Operational'
    ignore_older: 168h
# Here we're dropping all events in this category except event ID 3008
      - drop_event.when.not:
          - equals.event_id: 3008
          - and:
            - not.equals.event_data.QueryOptions: '140737488355328'
            - not.equals.event_data.QueryResults: ''
  - name: System
    ignore_older: 168h
      - drop_event.when.not:
          - equals.source_name: 'Microsoft-Windows-Eventlog'
          - and:
            - equals.source_name: 'Microsoft-Windows-GroupPolicy'
            - equals.level: Error
            - or:
              - equals.event_id: 1085
              - equals.event_id: 1125
              - equals.event_id: 1127
              - equals.event_id: 1129
          - and:
            - equals.source_name: 'Microsoft-Windows-Eventlog'
            - equals.level: Information
            - equals.event_id: 104

Hey thank you very much! I will give it a shot :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.