I came across this thread when looking for a way to ingest my Windows Server print logs into Graylog and figured I would post what it took to get this working for me in case it helps anyone else who comes across this thread in the future… A little bit of modification was required to make the OP’s configuration work for my setup which is sidecar version 1.5.0.1 which includes winlogbeat v8. Based on my research trying to get this to work I believe the OP’s config was written for sidecar 1.4 or older which uses winlogbeat v7.
To give credit where credit is due this is where I ended up finding the sidecar syntax differed between versions of Sidecar/Winlogbeat: Winlogbeat drop_event.when.not.or: not working - Sidecar Version 1.5, Graylog 5.2 - #3 by bavarian
My Sidecar configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["10.20.0.20:5045"]
path:
data: C:\Program Files\Graylog\sidecar\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat.event_logs:
- name: Microsoft-Windows-PrintService/Operational
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: "307"
My Pipeline rule:
rule "Printer_Tracking"
when
// Function converts generic fields names to useful ones
// then removes the unhelpful fieldnames because we don't want them
to_string($message.winlog_event_id) == "307"
then
// change fields to something that makes sense.
set_field("print_user", $message.winlog_user_data_Param3);
set_field("printed_from", $message.winlog_user_data_Param4);
set_field("printer_name", $message.winlog_user_data_Param5);
set_field("printed_from_ip", $message.winlog_user_data_Param6);
set_field("page_count", to_long($message.winlog_user_data_Param8));
remove_field("winlog_user_data_Param1"); // document number
remove_field("winlog_user_data_Param2"); // action i.e. "Print Document"
remove_field("winlog_user_data_Param3");
remove_field("winlog_user_data_Param4");
remove_field("winlog_user_data_Param5");
remove_field("winlog_user_data_Param6");
remove_field("winlog_user_data_Param7"); //size in bytes
remove_field("winlog_user_data_Param8");
remove_field("winlog_process_thread_id"); // who cares about the thread id? Not me.
remove_field("winlog_process_pid"); // who cares about the pid? Also Not me.
remove_field("winlog_opcode"); //
// Pull out for reporting
route_to_stream("Windows Servers");
end
Also, like @cdshow I had to remove the appending winlogbeats from the input and adjust the route_to_stream line to match up with a Stream in my environment.