Winlogbeat 8 modules not working with Graylog

1. Describe your incident:

I’m testing Winlogbeat 8 to work along with Graylog, but it seems it can’t load the Sysmon / Powershell / Security modules.

2. Describe your environment:

• OS Information: Windows 11

• Package Version: Graylog 6.1.5 / mongoDB 7.0.14 / Datanode 6.1

My winlogbeat 7.X Config

3. What steps have you already taken to try and solve the problem?

I’ve have the winlogbeat 8.X YML conf, it works but without the modules loaded.

My winlogbeat 8.X Config

Elastic say on the documentation:

Winlogbeat modules have changed in 8.0.0 to use Elasticsearch Ingest Node for processing.
Winlogbeat modules are implemented using Elasticsearch Ingest Node pipelines. The events receive their transformations within Elasticsearch. All events are sent through Winlogbeat’s “routing” pipeline that routes events to specific module pipelines based on their winlog.channel value.

Meaning the pipeline route works only with Elastic.

4. How can the community help?

How is it possible to make the modules work with winlogbeat 8 and Graylog 6.X ?

One solution I see is to translate the winlogbeat modules into pipeline rules… to enrich logs.

I found the solution, I’ve created a security parser that do the same job than the Elastic Ingest Pipeline processors.

image740×1091 88.1 KB

So we don’t need to load the security module on winlogbeat version 8 when sending logs to Graylog.

I’ve made the parser for Logstash and will translate it soon into Graylog Pipeline.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.