Hello I tried multiple variants for winlogbeat/sidecar version 1.5 but it seems I can not make it work how i want to.
I have a sidecar Version 1.5 on a Windows Server with a winlogbeat. My Graylog is on Version 5.2.0
I have a old configuration file which still works with version 1.4:
Old Configuration for Version 1.4
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["ip and port"]
ssl.verification_mode: full
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
# Account login: Successful, Failed, logged off, loggon using explicit credentials
- name: Security
event_id: 4616, 4624, 4625, 4634, 4647, 4648, 4688
level: info
ignore_older: 48h
provider:
- Microsoft-Windows-Security-Auditing
# Active Directory Monitoring: User account created, A user account was enabled, An attempt was made to change the password of an account, A user account was disabled,A user account was changed, A user account was locked out,A user account was unlocked
- name: Security
event_id: 4720-4727
level: info
ignore_older: 48h
provider:
- Microsoft-Windows-Security-Auditing
# Active directory Monitoring Group:A user was added to a privileged global group, A user was added to a privileged local group, A user was added to a privileged universal group, A privileged local group was modified, A privileged global group was modified, A privileged universal group was modified
- name: Security
event_id: 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740-4743, 4754-4758, 4764, 4767, 4769
level: info
ignore_older: 48h
provider:
- Microsoft-Windows-Security-Auditing
# Active directory Kerberos:A Kerberos authentication ticket request failed
- name: Security
event_id: 4770-4773, 4768, 4769
level: info
ignore_older: 48h
provider:
- Microsoft-Windows-Security-Auditing
# Active directory RDP:
- name: Security
event_id: 1024, 1100, 1101, 1102, 1103, 1104, 1149, 98, 131, 21, 22, 25
level: info
ignore_older: 48h
provider:
- Microsoft-Windows-Security-Auditing
- name: System
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-Sysmon/Operational
ignore_older: 48h
- name: Windows PowerShell
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-PowerShell/Operational
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-Windows Defender/Operational
level: critical, error, warning
ignore_older: 48h
For Version 1.5 this does not work, so I tried to do a different apprach as in the docs described. https://go2docs.graylog.org/5-2/getting_in_log_data/ingest_windows_eventlog.html
Thats how my current configuration file looks like:
Current configuration for Version 1.5
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["port and ip"]
ssl.verification_mode: full
path:
data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
- name: Security
processors:
- drop_event.when.not.or:
- equals.event_id: 1100
- equals.event_id: 1102
- equals.event_id: 4616
- equals.event_id: 4624
- equals.event_id: 4625
- equals.event_id: 4627
- equals.event_id: 4634
- equals.event_id: 4647
- equals.event_id: 4648
- equals.event_id: 4656
- equals.event_id: 4657
- equals.event_id: 4663
- equals.event_id: 4670
- equals.event_id: 4672
- equals.event_id: 4673
- equals.event_id: 4674
- equals.event_id: 4688
- equals.event_id: 4696
- equals.event_id: 4697
- equals.event_id: 4698
- equals.event_id: 4719
- equals.event_id: 4720
- equals.event_id: 4722
- equals.event_id: 4723
- equals.event_id: 4724
- equals.event_id: 4725
- equals.event_id: 4726
- equals.event_id: 4728
- equals.event_id: 4732
- equals.event_id: 4733
- equals.event_id: 4735
- equals.event_id: 4738
- equals.event_id: 4740
- equals.event_id: 4756
- equals.event_id: 4767
- equals.event_id: 4778
- equals.event_id: 4779
- equals.event_id: 4781
- equals.event_id: 4799
- equals.event_id: 4800
- equals.event_id: 4801
- equals.event_id: 4826
- equals.event_id: 5140
- equals.event_id: 5379
- equals.event_id: 5449
level: critical, error, warning, information
ignore_older: 48h
- name: System
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-Sysmon/Operational
ignore_older: 48h
- name: Windows PowerShell
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-PowerShell/Operational
level: critical, error, warning
ignore_older: 48h
- name: Microsoft-Windows-Windows Defender/Operational
level: critical, error, warning
ignore_older: 48h
I am not getting any “Security” Category in. With name: Security, processors:, - drop_event.when.not.or:, - equals.event_id: I understand I can define the events I want to keep. Nothing is coming for security.
I also changed equals.event_id to equals.winlog.event_id with the same result.
I kept getting this message into my Graylog Stream:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the graylog-collector-winlogbeat-64e5a7ebde67ea565c8910dc service.
I tried the other way around and changed my config to, where I do get my events, however in the docs of elasticsearch it is said, that this is just limited to 22 queries. Comparing to my list I want to include, that is more than 22 entries:
- name: Security
event_id: 4624, 4625, 4634, 4722-4728
level: critical, error, warning, information
ignore_older: 48h
However I keep getting this message:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the graylog-collector-winlogbeat-64e5a7ebde67ea565c8910dc service.
Could anyone help? Do I miss anything?