Hello,

Recently installed Graylog on CentOS 7 following this guide : https://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-graylog-on-centos-7-rhel-7.html

I configured Windows Server 2016 with the following NXlog config:

<Extension _gelf>
Module      xm_gelf
</Extension>

<Input eventlog>
    # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_msvistalog
    # Uncomment the following to collect specific event logs only
    Query  <QueryList>\
               <Query Id="0">\
                   <Select Path="Application">*</Select>\
                   <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>
</Input>

<Output out_udp>
    Module      om_udp
    Host        192.168.1.6
    Port        12201
    OutputType  GELF_UDP
</Output>

<Route eventlog_to_udp>
    Path        eventlog => out_udp
</Route>

Now everything works, and I get my event-id 4740 for password lockouts, which I push to a stream and then get alerts for that stream.
My question: Is there some built in feature for Graylog that can analyze my Event-ids and alert me for strange behavior, or do I have to browse the Internet finding all the event ID’s that I should be alerting on?

I am using this:

Active Directory Auditing (NXLOG)

Cool! I see there is a new version, I’ll grab that and see if I can get it working

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.