Windows Event Log - Security


Recently installed Graylog on CentOS 7 following this guide :

I configured Windows Server 2016 with the following NXlog config:

<Extension _gelf>
Module      xm_gelf

<Input eventlog>
    # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_msvistalog
    # Uncomment the following to collect specific event logs only
    Query  <QueryList>\
               <Query Id="0">\
                   <Select Path="Application">*</Select>\
                   <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\

<Output out_udp>
    Module      om_udp
    Port        12201
    OutputType  GELF_UDP

<Route eventlog_to_udp>
    Path        eventlog => out_udp

Now everything works, and I get my event-id 4740 for password lockouts, which I push to a stream and then get alerts for that stream.
My question: Is there some built in feature for Graylog that can analyze my Event-ids and alert me for strange behavior, or do I have to browse the Internet finding all the event ID’s that I should be alerting on?

I am using this:

Active Directory Auditing (NXLOG)

1 Like

Cool! I see there is a new version, I’ll grab that and see if I can get it working

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.