Sidecar + WinLogBeat: Problem with JSON?

At least I assume the problem is with JSON. I have two collector configurations: a base config with a tag for ‘windows’ for my windows servers and a second with a tag of ‘DC’ for domain controllers (plan was to layer up configurations like SQL, DC, IIS, etc).

On my second config I am trying to pull Windows ‘security’ event logs and then specify which event IDs I need. Problem is, Graylog seems to be “alphabetizing” the array. For testing, this is my input event name

[{'name':'Security', 'event_ID':'4624'}]

Which is being pushed via sidecar to the servers like this:

  - name: Microsoft-Windows-Sysmon/Operational (from another input)
  - event_ID: "4624"
    name: Security

Any ideas?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.