Winlogbeat "publishes" fine but specific events aren't seen in Graylog

Hi all, I’m fairly new to all of this, so please let me know if you need more info or if I’m barking up the wrong tree.

I’ve setup a single plain Graylog server on Debian 10, configured a Winlogbeat sidecar and deployed it out to my servers. The config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

   hosts: ["<server>"]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
   - name: Application
   - name: Security
        - drop_event.when.not.or:
            - equals.event_id: 129
   - name: System
        - drop_event.when.not.or:
            - equals.event_id: 129
   - name: DFS Replication
   - name: Microsoft-Windows-Backup
   - name: Microsoft-Windows-BitLocker/BitLocker Operational
   - name: Microsoft-Windows-DNS-Client/Operational
   - name: Microsoft-Windows-GroupPolicy/Operational
   - name: Microsoft-Windows-Kernel-Boot/Operational
   - name: Microsoft-Windows-NCSI/Operational
   - name: Microsoft-Windows-Ntfs/Operational
   - name: Microsoft-Windows-SMBServer/Operational
   - name: Microsoft-Windows-SMBServer/Security
   - name: Microsoft-Windows-Sysmon/Operational
   - name: Microsoft-Windows-TaskScheduler/Operational
   - name: Microsoft-Windows-TCPIP/Operational
   - name: Microsoft-Windows-TerminalServices-Gateway/Operational
   - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
   - name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
   - name: Microsoft-Windows-UAC/Operational
   - name: Microsoft-Windows-User Profile Service/Operational
   - name: Microsoft-Windows-Windows Defender/Operational
   - name: Microsoft-Windows-WindowsUpdateClient/Operational
   - name: Microsoft-Windows-Winlogon/Operational
   - name: OpenSSH/Operational

For most of the event sources above, the system is working great. However, for Microsoft-Windows-Sysmon/Operational and Microsoft-Windows-TerminalServices-Gateway/Operational I’m getting no events, or only some (respectively).

The sysmon log is quite noisy, and I can see winlogbeat publishing events in it’s log:

|2021-03-30T08:26:01.175+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|
|2021-03-30T08:26:03.193+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 11 events|
|2021-03-30T08:26:04.174+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|
|2021-03-30T08:26:05.222+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 13 events|
|2021-03-30T08:26:06.239+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 2 events|
|2021-03-30T08:26:07.240+0800|INFO|beater/eventlogger.go:88|EventLog[Microsoft-Windows-Sysmon/Operational] successfully published 1 events|

When searching in Graylog for “sysmon” I can only see things related to sysmon (e.g. the task to set it up) rather than the contents of the log. When I use winlogbeat_event_provider:Microsoft-Windows-Sysmon as a filter for the last week, I get nothing at all.

For the TS Gateway log, some events are seen, but not the ones I actually care about:
I want to see when a user uses the gateway, which is shown by this event:

I currently have a task scheduled to trigger when that particular event happens and email a logging mailbox. I can see that happening at the right time in graylog, but the event we want isn’t shown at all.

<Image would be attached but I’m limited to 1 per post for now>

What’s weird is that the “boring” messages from the TS Gateway log (service starts), are coming through.

This whole time I’m using the all messages stream, and I can’t think of any way that this stuff is being filtered out (as winlogbeat seems to grab the data fine).

Any help is appreciated!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.