Windows reboot not being logged correctly by Collector Sidecar

Hello,

OS: Windows Server 2012 R2
Collector Sidecar version: 0.1.7
Graylog 2.5.1+34194da (Oracle Corporation 1.8.0_191 on Linux 4.15.0-45-generic)

Problem: When rebooting the system, there is no log à la
The process <process> has initiated the restart of <computer name> for the following reason: No title for this reason could be found. Minor Reason: <reason> Shutdown Type: <type> logged to my Graylog instance.

I can find it in the local Event Log, though.

I can replicate this on multiple Graylog instances and multiple servers.

What is weird is that it logs everything else, just not this one log entry. Also weird: Sometimes it is being logged on some systems.

Thanks in advance!

Sidecar is only a controllor for the collector -

I guess you use winlogbeat? How did you configure winlogbeat to collect the messages? What filter did you set for the windows event log?

There is a chance (small, but still) that the reboot process killed off winlogbeat (or any other log collector) before it logged the message, so it never got read and sent.

grafik.png591×513 22.5 KB

This is the default configuration provided by Graylog.

The weird thing is that on some systems it works flawlessly, on some it does not.

I thought the same, but it still logs other system messages à la: “$PROCESS shut down.”

But then would it not be picked up and sent to Graylog upon the next system boot?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.