We’ve finally managed to get time/paperwork in place to run the python script. Unfortunately when I run the script I just get some blue text giving me the URL I’ve just typed in, nothing else seems to happen.
I’ve run the script as you demonstrated, doing so without username/password resulted in a 401 error and crash.
Looking into this. My assumption is the script naively takes the URL and executes the web requests based on that. I’m working on getting my lab up and running with opensearch TLS (running into some issues that a coworker will help me with tomorrow )
Sorry @drewmiranda-gl another error. Appears to be an issue with --no-verify.
line 16
Attribute error: Module 'argparse' has no attribute 'BooleanOptionalAction'
I have noticed there are quite a lot of replicated fields within single winlogbeat logs, it looks like a Graylog problem as they’re not documented Beats fields but I can’t find anything in the GL documentation either. I can’t fix this easily in Beats processors or Pipelines as there are just too many logs with this issue (and each are potentially slightly different).
e.g.
winlogbeat_event_code (not documented in Beats)
winlogbeat_winlog_event_id (is documented in Beats)
winlogbeat_event_provider (not documented in Beats)
winlogbeat_winlog_event_provider (is documented in Beats)
Alternatively you can remove the arg and manually set the verify property in the python file.
Can you clarify what you mean by “not documented in beats”? Beats collect log data but there isn’t any standard or exhaustive list of each and every possible field.
Part of what is happening is that graylog is prepending winlogbeat_ (depends on the beat type, filebeat would be filebeat_) to every field name. So winlogbeat_event_code is originally event_code
@drewmiranda-gl we’re using Ubuntu Server 22.04 so the Python version is 3.10.
I understand how Graylog prepends things to the fields, we’ve been running Graylog for some years now.
event_code isn’t a documented beats log field.
winlog_event_id is a documented beats log field.
I was wondering whether event_code is a Graylog addition as it doesn’t appear to be a winlogbeat field. I’m trying to identify where some of these replica fields are coming from.