At least I assume the problem is with JSON. I have two collector configurations: a base config with a tag for ‘windows’ for my windows servers and a second with a tag of ‘DC’ for domain controllers (plan was to layer up configurations like SQL, DC, IIS, etc).
On my second config I am trying to pull Windows ‘security’ event logs and then specify which event IDs I need. Problem is, Graylog seems to be “alphabetizing” the array. For testing, this is my input event name
Which is being pushed via sidecar to the servers like this:
winlogbeat: event_logs: - name: Microsoft-Windows-Sysmon/Operational (from another input) - event_ID: "4624" name: Security