First order of business is: did you handwrite the winlogbeat.yml file? Or was it generated by Graylog? Because it’s the latter that needs to be done. When using the Sidecar, you don’t manually manage BEATS.
Funnily enough we just had a discussion about setting up the Sidecar over here:
