Hi Jan, thanks for your support.
Actually I solved the problem. I’m writing the solution right here in the hope somebody would find it useful.
I found that the only way to have Packetbeat working with Graylog is to let it be run by Sidecar. So I needed to configure a new log collector manually (I found only winlogbeat, filebeat and nxlog template, despite on what I read on the website announcing version 3) and pushing this configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
path:
data: C:\Program Files\Graylog\sidecar\cache\packetbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
packetbeat.interfaces:
device: 0
packetbeat.protocols:
dns:
ports: [53]
output:
logstash:
hosts: ["graylog:5046"]
Input is of Beats type. I needed also to configure a processing pipeline to fill the source and message fields that were sent null from packetbeat collectors. Everything seems to work with these two rules:
rule "Fill source field"
when
has_field("beats_type")
then
set_field("source", $message.packetbeat_collector_node_id);
end
rule "Fill message field"
when
has_field("beats_type")
then
set_field("message", $message.packetbeat_query);
end
All Packetbeat messages are pushed in their reserved Packetbeat DNS stream and the Pipeline is applied only on this stream.
Do you suggest better ways to approach this?
Thanks a lot!