Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining the Graylog Illuminate release file.

This technology pack will process Windows Security event logs, providing normalization and enrichment of common events of interest. In addition, it will identify all Windows logs that have not been processed by any other technology pack, normalize common event log fields, and index these messages in a separate index.

Supported Version(s)

  • Currently supported version of the Windows operating system

Requirements

  • Event logs delivered to Graylog via Winlogbeat 7.x or NXLog 2.10.
Warning: Graylog only supports Winlogbeat 7.x. Do not upgrade to version 8.0 and above. This will cause errors with your Graylog instance.

Stream Configuration

This technology pack includes two streams:

  • “Illuminate:Windows Security Event Log Messages,” which contains all messages from the Windows Security event log

  • “Illuminate:Windows Event Log Messages,” which will contain all event log messages that have not been processed by this or any other technology pack

Index Set Configuration

This technology pack includes two index set definitions:

  • “Windows Security Event Log Messages,” which contains all messages from the Windows Security event log
  • “Windows Event Log Messages,” which will contain all event log messages that have not been processed by this or any other technology pack

If these index sets are already defined, then nothing will be changed. If these index sets do not exist, then they will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing and normalization to extract Windows event logs into Graylog schema compatible fields
  • Graylog Information Model categorization of messages
  • Illuminate Spotlight

Events Processed by This Technology Pack

The Windows Security technology pack will apply normalization of common event log fields, such as Event ID, to all Windows event log messages. The Windows Security technology pack will provide normalization and enrichment to the following Windows security event log IDs:

1100 1101 1102 1104 4616 4624
4625 4634 4647 4648 4672 4688
4689 4720 4721 4722 4723 4724
4725 4726 4727 4728 4729 4730
4731 4732 4733 4734 4735 4737
4738 4740 4741 4742 4743 4754
4755 4756 4757 4758 4764 4767
4769 4770 4771 4776 4778 4779
4781 4798 4779 4781 4798 4799
4820 4821 4822 4823 4824 4663

4763