Unable to get Windows Agent Logs


#1

I’m new to GrayLog and am just getting things setup. I’m also not entirely sure how to generate a display of the logs we’re collecting.

My initial test based on the documentation using BEATS.

Collector configuration installed on Windows PC::

server_url: http://gray.internal.lan:9000/api 
update_interval: 10
tls_skip_verify: false
send_status: true
list_log_files:
node_id: graylog-226
collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
cache_path: C:\Program Files\graylog\collector-sidecar\cache
log_path: C:\Program Files\graylog\collector-sidecar\logs
log_rotation_time: 86400
log_max_age: 2592000
tags: [win10]
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
      configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml

Tail of WinLogBeat file::

2018-07-11T15:31:46-07:00 INFO EventLog[Security] successfully published 1 events
2018-07-11T15:32:12-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=1778104 beat.memstats.memory_total=1282196616 libbeat.config.module.running=0 libbeat.output.events.acked=1 libbeat.output.events.batches=1 libbeat.output.events.total=1 libbeat.output.read.bytes=6 libbeat.output.write.bytes=1284 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 libbeat.pipeline.events.published=1 libbeat.pipeline.events.total=1 libbeat.pipeline.queue.acked=1 msg_file_cache.SecurityHits=1 published_events.Security=1 published_events.total=1 uptime={"server_time":"2018-07-11T22:32:12.2667005Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h52m33.1837093s","uptime_ms":"21153183709"}
2018-07-11T15:32:42-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=1888408 beat.memstats.memory_total=1282306920 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 uptime={"server_time":"2018-07-11T22:32:42.2660404Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h53m3.1830492s","uptime_ms":"21183183049"}
2018-07-11T15:33:11-07:00 INFO EventLog[Security] successfully published 1 events
2018-07-11T15:33:12-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=3538240 beat.memstats.memory_total=1283956752 libbeat.config.module.running=0 libbeat.output.events.acked=1 libbeat.output.events.batches=1 libbeat.output.events.total=1 libbeat.output.read.bytes=6 libbeat.output.write.bytes=1256 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 libbeat.pipeline.events.published=1 libbeat.pipeline.events.total=1 libbeat.pipeline.queue.acked=1 msg_file_cache.SecurityHits=1 published_events.Security=1 published_events.total=1 uptime={"server_time":"2018-07-11T22:33:12.2658835Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h53m33.1828923s","uptime_ms":"21213182892"}
2018-07-11T15:33:42-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=3675624 beat.memstats.memory_total=1284094136 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 uptime={"server_time":"2018-07-11T22:33:42.2654713Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h54m3.1824801s","uptime_ms":"21243182480"}
2018-07-11T15:34:12-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30001 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=1748712 beat.memstats.memory_total=1284195864 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 uptime={"server_time":"2018-07-11T22:34:12.2654671Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h54m33.1824759s","uptime_ms":"21273182475"}
2018-07-11T15:34:42-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=29999 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=1849840 beat.memstats.memory_total=1284296992 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 uptime={"server_time":"2018-07-11T22:34:42.2645915Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h55m3.1816003s","uptime_ms":"21303181600"}
2018-07-11T15:35:12-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=1956496 beat.memstats.memory_total=1284403648 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 uptime={"server_time":"2018-07-11T22:35:12.2638176Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h55m33.1808264s","uptime_ms":"21333180826"}
2018-07-11T15:35:42-07:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30000 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=2058384 beat.memstats.memory_total=1284505536 libbeat.config.module.running=0 libbeat.pipeline.clients=3 libbeat.pipeline.events.active=0 msg_file_cache.SecuritySize=-1 uptime={"server_time":"2018-07-11T22:35:42.2641025Z","start_time":"2018-07-11T16:39:39.0829912Z","uptime":"5h56m3.1811113s","uptime_ms":"21363181111"}
2018-07-11T15:35:55-07:00 INFO EventLog[Security] successfully published 1 events

Collectors::


#2

Global Inputs::


(Jochen) #3

Please post the logs of the Graylog Collector Sidecar.


(Jan Doberstein) #4

What is the content of C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml that should contain the beats configuration.


#7

fields:
collector_node_id: graylog-DH226
gl2_source_collector: 704b52ad-2136-4880-a210-f9af081b97e5
output:
logstash:
hosts:
- 192.168.1.50:5044
path:
data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data
logs: C:\Program Files\graylog\collector-sidecar\logs
tags:

  • win10
    winlogbeat:
    event_logs:
    • name: Application
    • name: System
    • name: Security

(Jan Doberstein) #8

and 192.168.1.50 is the IP of your Graylog Server where the beat can reach Graylogs Beat input?


#9

192.168.1.50 is the GrayLog server.

Btw, thx for the quick replies! :slight_smile:


#10

Random error 01::

Capture03


#11

Random error 02::


(Jochen) #12

Check the logs of your Graylog and Elasticsearch nodes.
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.