Winlogbeat configuration - snippets


(Lyubomir ) #1

Hi there,

I’ve been trying to configure the collector-sidecar (Winlogbeat) using Snippets.

My snippets conf looks like this

winlogbeat.event_logs:
  - name: Security
    event_id: 500-820
  - name: System
    level: critical, error, warning
  - name: Application
    level: critical, error, warning

And my full Winlogbeat.yml is this:

fields:
  collector_node_id: graylog-collector-sidecar
  gl2_source_collector: eff0bd2f-d5b7-445c-a57e-de9b63a0af8c
output:
  logstash:
    hosts:
    - 10.1.10.30:5044
path:
  data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data
  logs: C:\Program Files\graylog\collector-sidecar\logs
tags:
- windows
winlogbeat:
  event_logs:
  - name: Application
  - name: System
  - name: Security
winlogbeat.event_logs:
  - name: Security
    event_id: 500-820
  - name: System
    level: critical, error, warning
  - name: Application
    level: critical, error, warning

As soon as I remove the event_id filter I start to receive logs. Unfortunately, I m not able to filter just the range I want.


(marius) #2

Hi,
in Graylog 3.0 you will be able to edit the full configuration file by hand. That should make such use cases easier. Currently you have to edit the ‘Event Name’ field in the input configuration to something like:

[{'name':'Application','level':"critical, error, warning'},{'name':'System', 'level':"critical,error,warning'},{'name':'Security','event_id':'500-820'}]

Cheers,
Marius


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.