Streams - Windows admin login


I am trying to create a stream that would filter my administrator logins and i am struggling to find some good documentation about this.

Anyone in here have any idea or did it already and working?


Hi @adrianrus

the documentation for GL is a starting point.
Can you please describe the term “filter” and what an admin log looks like?

I mean that i want to receive those log when the administrator account is used for login on that server

Hey @adrianrus

You may want to read this documentation.

Adding an appender and logger to the Log4j2 configuration file (log4j2.xml) as shown in the doc’s.
This example I’m using Nxlog with a input created to grab the log from restaccess.log noticed the names used " access". Side note Im using GELF TCP/TLS input so it auto creates the field SourceModuleName.

<Input access>
    Module       im_file
    FILE         "/var/log/graylog-server/restaccess.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    #Exec  $Message = $raw_event;




NOTE: the restaccess.log file only shows the UUID of the user. So these must be turned into human readable data.

Or you can use the Graylog’s Operations/Enterprise edition. Under 2 Gb a day I believe its free.


I did some explaining here in Graylog Discord server.

Sorry, I misunderstood you.
This is in the subject “Windows admin login” and I assumed you want the admin logs of your Windows servers :wink:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.