Recently installed Graylog on CentOS 7 following this guide : https://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-graylog-on-centos-7-rhel-7.html
I configured Windows Server 2016 with the following NXlog config:
<Extension _gelf> Module xm_gelf </Extension> <Input eventlog> # Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Output out_udp> Module om_udp Host 192.168.1.6 Port 12201 OutputType GELF_UDP </Output> <Route eventlog_to_udp> Path eventlog => out_udp </Route>
Now everything works, and I get my event-id 4740 for password lockouts, which I push to a stream and then get alerts for that stream.
My question: Is there some built in feature for Graylog that can analyze my Event-ids and alert me for strange behavior, or do I have to browse the Internet finding all the event ID’s that I should be alerting on?