Winlogbeat Object Value are not equal to Event In Windows

lcosta · November 13, 2019, 10:57am

Good day,

I configured my graylog-sidecar, to send DNS events from my Domain Controller:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["10.100.1.20:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
     - name: Security
       event_id: 4662

The Event Values:

Object:
Object Server: DS
Object Type: dnsZone
Object Name: DC=nostromo.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nostromo,DC=com
Handle ID: 0x0

The Winlog Event Value:

Object:
Object Server: DS
Object Type: %{bf967a8b-0de6-11d0-a285-00aa003049e2}
Object Name: %{3f936758-2a36-41a2-a47a-96675c1a0537}
Handle ID: 0x0

Not understanding why this value is not equal, is there something “enconding” the values?

Thks

system · November 27, 2019, 10:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sidecar + WinLogBeat: Problem with JSON? Graylog Central (peer support) sidecar , winlogbeat	1	874	August 3, 2017
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	1061	April 13, 2021
Graylog dublicates events - winlogbeat collector Graylog Central (peer support) sidecar , winlogbeat	5	1105	August 29, 2018
Windows events to graylog server Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	3	4784	December 27, 2018
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3736	December 16, 2019

Winlogbeat Object Value are not equal to Event In Windows

Related topics