1. Describe your incident:
Hi,
i just realized, that our AD servers doesn’t forward 4740 events to graylog. As far as I can see (all?) other events are forwarded properly.
To rule out an improper config I simplified the beats config, yet without success
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["172.17.2.199:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
- name: System
- name: Security
- name: DFS Replication
- name: Directory Service
- name: DNS Server
2. Describe your environment:
Graylog 4.3.6
Ubuntu LTS 18
4. How can the community help?
What could cause this?
Is this a known issue?
Is there a known workaround?
Hello,
Depends on the DC, ensure you have audit logging enabled on those DC’S . Would show you a picture of a windows domain controller and how to enable that but on boarding a airplane
Audit Logging is already enabled and the events are visible at the windows event log, but some events (e.g. account lockout) are not submitted to graylog, others like group membership changes are.
However, I discovered an outdated/incompatible sidecar installation on the domain controllers (v 1.0.2). Maybe that’s the issue. I’ll upgrade it to 1.2.0 and post an update afterwards
I have Sidecar 1.1.0 running on our DC and I am receiving EventID 4740 (currently working on building a script to warn user of lockout). Double check any Extractors or pipelines you have attached to the incoming messages - could they be changed or dropped? Did the newer version of Sidecar help?