Sending Windows Logs to GrayLog

I have a GrayLog server running on Ubuntu 20.04 Server. I want to monitor Windows logs through that. My question is how to configure graylog to recieve windows logs.

I have installed Winlogbeat on windows machine and below is the configuration. I do not see any messages on GrayLog. I configured Beats Input on Graylog. Is there something missing or wrong in the winlogbeat configuration?

winlogbeat.event_logs:

  • name: System
  • name: Security
  • name: ForwardedEvents
    tags: [forwarded]

output.logstash:

The Logstash hosts

hosts: [β€œ192.192.168.10.5:515”]

processors:

  • add_host_metadata:
    when.not.contains.tags: forwarded
  • add_cloud_metadata: ~

Are you installing just winlogbeats on the windows machines? It is much preferable to install Sidecar (which includes winlogbeats) from here…

From there, in short, create the input, modify the sidecar configuration on the windows machine so it sees the Graylog server, create a log collector on the Graylog server, create a configuration based on the collector, then apply the configuration to the windows machine that should show up in the system/sidecars/administration list. (from memory)

Detail on configuration is here: Graylog Sidecar β€” Graylog 4.1.0 documentation

If you are still having problems, It is helpful to post your configuration code (windows sidecar configuration, Graylog log collector, Collector Configuration, plus any errors) be as specific as possible.

please use the forum tools ( such as </>) to make the code readable.

2 Likes

Yes I only installed Winlogbeats. I will try with sidecar as you explained. Thanks for the help/

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.