Queries not working properly?

(G) #1

Hi, I’m running a fresh install of graylog 2.3.1. I currently have logs pouring in from my AD servers. I installed nxlog but could not get sidecar to work. Regardless, nxlog is working and I do see messages pouring in so I think I have it setup correctly.

I seem to be having trouble getting queries to work properly on the main screen. My goal is to query AD events like account lockouts and such and see daily counts on my dashboard widgets. I’m using the Active Directory Auditing module for some of the built in widgets and streams to accomplish this. However, they don’t seem to be accurate or even working sometimes. Every time I try to query for something like “EventId: 4740” I get “nothing found” even though I know I can see the logs on the main page. I thought it could have something to do with the colon so I tried escape characters like EventID: 4740 but that just returned more irrelevant results. The built in stock counters in the module are displaying incorrect information (or not working) so I think these issues are related.

Any help would be greatly appreciated!

(Jochen) #2

There must be no whitespace character between the colon character and the query.



(G) #3

Thanks for getting back to me!

So when I do that it comes back with “Nothing Found.” In examining the messages coming in, I don’t actually see the label “EventId:” in the message body. The body looks something like this in graylog which was pulled from my windows AD server security logs.

ad1.domain.com MSWinEventLog 3 Security 1380259 Mon Apr 30 09:50:45 2018 4625 Microsoft-Windows-Security-Auditing N/A N/A Failure Audit ad1.domain.com Logon An account failed to log on.

If I change my query to just 4625 it does find some messages, however it pulls some from source:nginx which don’t seem relevant. They should all be from my AD servers. I thought I could refine my query by doing something like:

source:ad1.domain.com and message:4625

But that didn’t work right and returned 500k+ messages from all different eventid’s. Maybe my syntax is wrong?

I used the AD content pack plugin to use the built in widgets to check data on a dashboard. I looked at the json file for this plugin and every built in query has “EventId: xxxx” in the file. I would have thought it would just work out of the box but if this is the case, I’m going to have to change every line in the json file!

Is there something else I could be doing wrong here?

(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.