Ingest Windows Event Logs
  • 23 Aug 2022
  • 1 Minute to read
  • Dark
    Light

Ingest Windows Event Logs

  • Dark
    Light

Windows Event Logs

Some agents allow sending Windows event logs via Syslog. Others have a proprietary protocol implemented. Graylog can work with those that use Syslog for transport or those that speak GELF. One collector that should be mentioned is the NXLog community edition that can read the windows event log and forward that to Graylog via GELF.

But the recommended approach is to make use of Winlogbeat. This is currently the best-known way to ingest windows event logs into Graylog.

Caution
If you are ingesting via Winlogbeat, please note that Graylog only supports Winlogbeat 7.x. Do not upgrade to version 8.0 and above. This will cause errors with your Graylog instance.

The collector can be configured manually with any software configuration utility present in the environment. The Graylog Sidecar can be used to configure and control the collectors. Manual installation and configuration are also options.

Input is needed in order to ingest messages into Graylog. This input needs to match the collector. For NXLog, you would most likely need a GELF input. For winlogbeat, you need a beats input.

Here's an example of a winlogbeat configuration that reduces noise but still gives enough information:

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
  hosts: ["graylog:5044"]

winlogbeat.event_logs:
  - name: Application
    level: critical, error, warning
    ignore_older: 48h
  - name: Security
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 141
            - equals.event_id: 1102
            - equals.event_id: 4648
            - equals.event_id: 4657
            - equals.event_id: 4688
            - equals.event_id: 4697
            - equals.event_id: 4698
            - equals.event_id: 4720
            - equals.event_id: 4738
            - equals.event_id: 4767
            - equals.event_id: 4728
            - equals.event_id: 4732
            - equals.event_id: 4634
            - equals.event_id: 4735
            - equals.event_id: 4740
            - equals.event_id: 4756
    level: critical, error, warning, information
    ignore_older: 48h
  - name: System
    processors:
        - drop_event.when.not.or:
            - equals.event_id: 129
            - equals.event_id: 1022
            - equals.event_id: 1033
            - equals.event_id: 1034
            - equals.event_id: 4624
            - equals.event_id: 4625
            - equals.event_id: 4633
            - equals.event_id: 4719
            - equals.event_id: 4738
            - equals.event_id: 7000
            - equals.event_id: 7022
            - equals.event_id: 7024
            - equals.event_id: 7031
            - equals.event_id: 7034-7036
            - equals.event_id: 7040
            - equals.event_id: 7045
    level: critical, error, warning
    ignore_older: 48h

Was this article helpful?

What's Next