Winlogbeat sidecar message not incoming

1. Describe your incident:

I’m currently using NXLOG to ingest windows logs and I want to migrate to Winlogbeat.
For starter I want ingest all event log for Windows Powershell.

It seems that the message are not incoming (I clicked show message from sidecar for my computer) with winlogbeat, while I have many powershell log messages in windows event log from the last hours.

image890×620 17.8 KB

2. Describe your environment:

graylog 5.1.3
elasticsearch 7.10.2
winlogbeat with graylog sidecar 1.4.0.1
mongodb 6.0.6

- Port 5044/tcp open

nc -z -v 192.168.1.51 5044
Connection to 192.168.1.51 5044 port [tcp/lxi-evntsvc] succeeded!

- tcpdump active:

root@docker-node1 graylog]# tcpdump -i any port 5044 -n
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:24:29.208500 ens33 In  IP 192.168.1.108.65079 > 192.168.1.51.lxi-evntsvc: Flags [.], seq 494728375:494728376, ack 135538921, win 8212, length 1
11:24:29.208524 br-85e65866b060 Out IP 192.168.1.108.65079 > 172.21.0.5.lxi-evntsvc: Flags [.], seq 494728375:494728376, ack 135538921, win 8212, length 1
11:24:29.208528 veth19b9013 Out IP 192.168.1.108.65079 > 172.21.0.5.lxi-evntsvc: Flags [.], seq 0:1, ack 1, win 8212, length 1
11:24:29.208546 veth19b9013 P   IP 172.21.0.5.lxi-evntsvc > 192.168.1.108.65079: Flags [.], ack 1, win 19093, options [nop,nop,sack 1 {0:1}], length 0
11:24:29.208553 br-85e65866b060 In  IP 172.21.0.5.lxi-evntsvc > 192.168.1.108.65079: Flags [.], ack 1, win 19093, options [nop,nop,sack 1 {0:1}], length 0
11:24:29.208565 ens33 Out IP 192.168.1.51.lxi-evntsvc > 192.168.1.108.65079: Flags [.], ack 1, win 19093, options [nop,nop,sack 1 {0:1}], length 0

192.168.1.108 is my computer
192.168.1.51 is graylog
172.21.0.5 is graylog container ip

- Input beats:

bind_address: 0.0.0.0
charset_name: UTF-8
no_beats_prefix: false
number_worker_threads: 4
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

- sidecar winlogbeat for powershell:

tags: winlogbeat-powershell

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.company.lan:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

 
winlogbeat.event_logs:
   - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
     level: 'critical, error, warning'
     ignore_older: 48h
   
   - name: Windows PowerShell
     level: 'critical, error, warning'
     ignore_older: 48h
     
   - name: Microsoft-Windows-PowerShell/Operational
     level: 'critical, error, warning'
     ignore_older: 48h

- client sidecar.yml:

server_url: "https://graylog.company.lan/api"
server_api_token: "token_secret"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: true
send_status: true
tags: 
   - winlogbeat-powershell
  
collector_binaries_accesslist:
  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"

- Indice and stream create for Winlogbeat event:
Indice

image1200×171 9.85 KB

image1585×152 5.44 KB

3. What steps have you already taken to try and solve the problem?

I checked the firewall, all good.
I checked the configuration, seems ok ?
The winlogbeat logs does not display any errors

4. How can the community help?

Am I missing something ? I followed the Graylog official documentation and i’m stuck.

Hi @s0p4L1N,

I don’t think you have a Graylog problem

It appears from this article PowerShell Module | Winlogbeat Reference [7.17] | Elastic, that Winlogbeat only supports specific event IDs. You cannot simply name the container and collect all logs.

You have to include the specific events you want to collect.

Good luck, please report back here with what you learn.

The logs are coming through now, adding the EventID help has you say.

Maybe for the next person that will have this “issue”, add this information to this page. Beginners like me does not have the intuition to go look directly the Winlogbeat documentation even if it is well know to RTFM.

I thought for starter that naming only the channel was sufficient and as it did not even show any errors, I did not look on Winlogbeat side.

Than you for your help anyway

Thanks for reporting back so others can benefit from your question. Thank you also for the suggestion. I would think we could even go one step further by including a powershell sample winlogbeat configuration in the product itself. We already have them for other log types. Can you share yours (sanitized, of course) to use as a template when I submit the feature request? I could do it from scratch, but if you already have a working configuration, I’ll use that instead. TIA

Here’s my basic sidecar winlogbeat for Powershell:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["dns_server_name:5044"]

path.data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
path.logs: C:\Program Files\Graylog\sidecar\logs
path.module: C:\Program Files\Graylog\sidecar\module
 
winlogbeat.event_logs:

#PowerShell
   - name: Windows PowerShell
     event_id: 400, 403, 600, 800
     ignore_older: 48h
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js
     
   - name: Microsoft-Windows-PowerShell/Operational
     event_id: 4100, 4103, 4104, 4105, 4106
     ignore_older: 48h
     processors:
      - script:
          lang: javascript
          id: powershell
          file: C:\Program Files\Graylog\sidecar\module\powershell\config\winlogbeat-powershell.js

I also noticed that Graylog Sidecar agent does not include the PowerShell/Security/Sysmon Winlogbeat modules by default, I had to copy them from Winlogbeat zip.

You can also look on this github page where someone create winlogbeat template for the eventID to monitor in priority: https://github.com/jhochwald/Universal-Winlogbeat-configuration/blob/main/assets/winlogbeat.yml

Thank you. I submitted the feature request.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.