Ingest Windows Eventlog
Some agents allow sending Windows event logs via Syslog. Others have a proprietary protocol implemented. Graylog can work with those that use Syslog for transport or those that speak GELF. One collector that should be mentioned is the NXLog community edition that can read the windows event log and forward that to Graylog via GELF.
But the recommended approach is to make use of Winlogbeat. This is currently the best-known way to ingest windows event logs into Graylog.
The collector can be configured manually with any software configuration utility present in the environment. The Graylog Sidecar can be used to configure and control the collectors. Manual installation and configuration are also options.
Input is needed in order to ingest messages into Graylog. This input needs to match the collector. For NXLog, you would most likely need a GELF input. For winlogbeat, you need a beats input.
Here's an example of a winlogbeat configuration that reduces noise but still gives enough information:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["graylog:5044"]
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
- name: Security
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 141
- equals.event_id: 1102
- equals.event_id: 4648
- equals.event_id: 4657
- equals.event_id: 4688
- equals.event_id: 4697
- equals.event_id: 4698
- equals.event_id: 4720
- equals.event_id: 4738
- equals.event_id: 4767
- equals.event_id: 4728
- equals.event_id: 4732
- equals.event_id: 4634
- equals.event_id: 4735
- equals.event_id: 4740
- equals.event_id: 4756
level: critical, error, warning, information
ignore_older: 48h
- name: System
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 1022
- equals.event_id: 1033
- equals.event_id: 1034
- equals.event_id: 4624
- equals.event_id: 4625
- equals.event_id: 4633
- equals.event_id: 4719
- equals.event_id: 4738
- equals.event_id: 7000
- equals.event_id: 7022
- equals.event_id: 7024
- equals.event_id: 7031
- equals.event_id: 7034-7036
- equals.event_id: 7040
- equals.event_id: 7045
level: critical, error, warning
ignore_older: 48h