Sidecar + WinLogBeat: Problem with JSON?

bluescreenofwin · July 20, 2017, 9:23pm

At least I assume the problem is with JSON. I have two collector configurations: a base config with a tag for ‘windows’ for my windows servers and a second with a tag of ‘DC’ for domain controllers (plan was to layer up configurations like SQL, DC, IIS, etc).

On my second config I am trying to pull Windows ‘security’ event logs and then specify which event IDs I need. Problem is, Graylog seems to be “alphabetizing” the array. For testing, this is my input event name

[{'name':'Security', 'event_ID':'4624'}]

Which is being pushed via sidecar to the servers like this:

winlogbeat:
  event_logs:
  - name: Microsoft-Windows-Sysmon/Operational (from another input)
  - event_ID: "4624"
    name: Security

Any ideas?

system · August 3, 2017, 9:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows events to graylog server Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	3	4762	December 27, 2018
Graylog Collector Alphabetizing JSON Array? Graylog Central (peer support) sidecar , winlogbeat	1	491	September 4, 2018
More Windows Event logs than what I need Graylog Central (peer support) sidecar , winlogbeat	4	3079	August 15, 2017
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	1055	April 13, 2021
Collector configuration of winlogbeat snippets were not working in graylog Graylog Central (peer support) sidecar , winlogbeat	2	1166	February 23, 2018

Sidecar + WinLogBeat: Problem with JSON?

Related topics