Windows 10/11 & Windows Server Security Log

Download from Github
View on GitHub
Open Issue

This content Pack is only intended for Windows Security Monitoring.
If you noticed some data about security that is not parsed or missing fields, you can open an issue and I will update the Content Pack.

Tested with Windows 10/11 and Windows Server 2022 and Graylog 5.2.2.

The Content Pack should be compatible with all Graylog 5.X version.

Note this was built without extractors, only pipeline rules.


  • Input (Beats/TCP/5044)
  • Stream (Filebeat & Winlogbeat)
  • Pipeline Rules w/ stages
  • Lookup table + Data adapter + data cache
  • Dashboards

Not included

Hard files that need to be downloaded, see info


  • Graylog 5.2.0
  • Sidecar API Token Created
  • Graylog Sidecar Agent 1.5.0
  • Winlogbeat & Filebeat 7.12.1
  • Winlogbeat Security & Powershell Module
  • Edit Windows-ALL-Security-Content-Pack.json before uploading it !

I worked hard to share this with the community, I hope it will suits your needs :wink:
PM me if you encounter any issue.

I dropped many Events on the winlogbeat configuration that are not needed for space optimization, adjust to your needs.

Log size estimation: 130 MB/Agents/day

  • 30 MB/Agents/day for filebeat
  • 100MB/Agents/day for winlogbeat

@s0p4L1N awesome thanks :+1: