Hi
I use Graylog pretty well, it collects logs from my Linux even Windows servers. But I have found it does not collect everything from Windows. E.g. I can see all failure even successful logons are collected. Even new created and deleted account in Active Directory. But changes in groups are not collected event if I can see them in Eventviewer of Domain controller. I started to collect data from Enterprise Certification Authority. I can see that all is collected from Security channel. But not EventID 4872 - crl publishing. How can I troubleshoot it?
My Graylog runs on Ubuntu server 22 in Docker container
Package Version: 6.1.5
I use NXlog clients on my Windows server. I checked nxlog.conf and there is no filtering that would drop any messages on clients side
I set only filtering name of my server = source:servername and than I searched my lost Event IDs manually without success
My stream rules are very simple = source contain nameofserver. There is no special filtering
I dont have any piplane that woud drop any message regarding Windows servers
Can you tell me what to check more in Graylog? Or must do I have anything special with my Windows server to get all logs?
Thank you, Aldomoro