Winlogbeat Collector Configuration Not Working

Graylog Central (peer support)
1

Hi all,

I’m trying to replicate the Winlogbeat Collector Config from the Graylog 5.0 Docs (Ingest Windows Event Logs) however the drop_event processor condition is not working. The application logs get pulled correctly but the Security and System logs don’t as the condition doesn’t seem to apply correctly.

None of the event_ids listed make it to Graylog as they get dropped, here is a snippet of the revelant bit:

winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.event_id: 129
        - equals.event_id: 141
        - equals.event_id: 1102
        - equals.event_id: 4624
        - equals.event_id: 4634
        - equals.event_id: 4648
        - equals.event_id: 4657
        - equals.event_id: 4688
        - equals.event_id: 4697
        - equals.event_id: 4698
        - equals.event_id: 4720
        - equals.event_id: 4738
        - equals.event_id: 4767
        - equals.event_id: 4728
        - equals.event_id: 4732
        - equals.event_id: 4634
        - equals.event_id: 4735
        - equals.event_id: 4740
        - equals.event_id: 4756
    level: critical, error, warning, information
    ignore_older: 48h
2

I found out why it was failing after going through the Beats documentation. The Graylog Docs are outdated seems like.

the correct way to access event_id is via winlog.event_id

1 Like
3

I ran into the same issue and ended up going to the ElasticSearch Beats docs to find it - glad you found it so quickly! :slight_smile:

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.