Sweet! I got my own working. THANK YOU for your help.
I may need to start a new topic but…
I’m trying to get the AD Content pack working and I can’t figure out what I’m doing wrong. AND since I removed the winlogbeats from the beats input… I tried modifying the queries but that didn’t work. I have a REALLY strange issue occurring with my searches. Ex. if I search for:
winlog_event_id: == “4733”
I get results but… they are for event ID 4624 and others, it just so happens that there is 4733 in the message field under Logon GUID and under the winlog_event_data_LogonGuid fields. Why is a search of winlog_event_id pulling data from other fields?
Here is the content pack that started all of this and is thoroughly confusing me. I suspect if I can fix the search pulling back odd results I can fix the winlogbeats_ by replacing it with winlog_ but… I could be wrong:
Active Directory Auditing (WinLogBeats) - Graylog 3.0.2+ - the NEW Marketplace / Content Pack - Graylog Community