Hi all, I’m fairly new to all of this, so please let me know if you need more info or if I’m barking up the wrong tree.
I’ve setup a single plain Graylog server on Debian 10, configured a Winlogbeat sidecar and deployed it out to my servers. The config:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["<server>"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
- name: Security
processors:
- drop_event.when.not.or:
- equals.event_id: 129
<snip>
- name: System
processors:
- drop_event.when.not.or:
- equals.event_id: 129
<snip>
- name: DFS Replication
- name: Microsoft-Windows-Backup
- name: Microsoft-Windows-BitLocker/BitLocker Operational
- name: Microsoft-Windows-DNS-Client/Operational
- name: Microsoft-Windows-GroupPolicy/Operational
- name: Microsoft-Windows-Kernel-Boot/Operational
- name: Microsoft-Windows-NCSI/Operational
- name: Microsoft-Windows-Ntfs/Operational
- name: Microsoft-Windows-SMBServer/Operational
- name: Microsoft-Windows-SMBServer/Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Microsoft-Windows-TaskScheduler/Operational
- name: Microsoft-Windows-TCPIP/Operational
- name: Microsoft-Windows-TerminalServices-Gateway/Operational
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
- name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
- name: Microsoft-Windows-UAC/Operational
- name: Microsoft-Windows-User Profile Service/Operational
- name: Microsoft-Windows-Windows Defender/Operational
- name: Microsoft-Windows-WindowsUpdateClient/Operational
- name: Microsoft-Windows-Winlogon/Operational
- name: OpenSSH/Operational
For most of the event sources above, the system is working great. However, for Microsoft-Windows-Sysmon/Operational and Microsoft-Windows-TerminalServices-Gateway/Operational I’m getting no events, or only some (respectively).
The sysmon log is quite noisy, and I can see winlogbeat publishing events in it’s log:
|2021-03-30T08:26:01.175+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|
|---|---|---|---|
|2021-03-30T08:26:03.193+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 11 events|
|2021-03-30T08:26:04.174+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|
|2021-03-30T08:26:05.222+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 13 events|
|2021-03-30T08:26:06.239+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 2 events|
|2021-03-30T08:26:07.240+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|
When searching in Graylog for “sysmon” I can only see things related to sysmon (e.g. the task to set it up) rather than the contents of the log. When I use winlogbeat_event_provider:Microsoft-Windows-Sysmon as a filter for the last week, I get nothing at all.
For the TS Gateway log, some events are seen, but not the ones I actually care about:
I want to see when a user uses the gateway, which is shown by this event:
I currently have a task scheduled to trigger when that particular event happens and email a logging mailbox. I can see that happening at the right time in graylog, but the event we want isn’t shown at all.
<Image would be attached but I’m limited to 1 per post for now>
What’s weird is that the “boring” messages from the TS Gateway log (service starts), are coming through.
This whole time I’m using the all messages stream, and I can’t think of any way that this stuff is being filtered out (as winlogbeat seems to grab the data fine).
Any help is appreciated!