In a previous post, we discussed deploying a centralized log collection and management service using the Graylog stack (Graylog + OpenSearch + MongoDB). This article will guide you on sending Event Viewer logs from Windows hosts, including Active Directory domain controller events, to Graylog.
Configuring Graylog Data Collector for Windows Devices
To start, navigate to System -> Inputs in the Graylog interface. Add a new collector for Windows Server Devices with the type set to Beats listening on TCP port 5044. Create a separate index for Windows Event logs and establish a new Windows stream based on the new input and index.
Winlogbeat: Sending Windows Event Logs to Graylog
To send EventViewer logs from Windows hosts to the Graylog server, utilize the Winlogbeat log collector service, which is part of the ELK stack. Install Winlogbeat on each Windows host you wish to monitor.
- Download the Winlogbeat archive from the download page.
- Extract the contents to
C:Program Fileswinlogbeat. - Edit the winlogbeat.yml configuration file.
In its simplest form, your configuration should send events from the Application, Security, and System Event logs:
winlogbeat.event_logs: - name: Application ignore_older: 72h - name: Security - name: Systemoutput.logstash: hosts: ["192.168.14.146:5044"]For more specific logging, you can configure it to collect selected events based on severity levels and EventIDs. After editing the configuration, verify its correctness and ensure the log collector service is running.
cd "C:Program Fileswinlogbeat".winlogbeat test config.winlogbeat test outputIf successful, install and start the Winlogbeat service:
.install-service-winlogbeat.ps1Start-Service winlogbeatCheck the Graylog web interface to confirm that your Windows server logs are appearing in the designated stream.
Collect Active Directory Domain Controller Event Logs with Graylog
Graylog allows you to search and analyze Windows events effectively with Active Directory as an example. If multiple domain controllers exist, the centralized log collector simplifies the process of identifying specific events.
To find out, for instance, which computer locked a user account due to incorrect password attempts, you can run a query in Graylog:
winlogbeat_event_code:(4740 OR 4625) AND winlogbeat_event_provider:Microsoft-Windows-Security-AuditingThis centralized logging helps in quickly identifying significant events like user password resets or account creations using specific EventIDs, such as:
- Event ID 4767 – identifies who unlocked an AD user.
- Event ID 4724 – tracks who reset a domain user’s password.
Make sure Winlogbeat agents are set up on each Domain Controller. Certain Active Directory security events require enabling in the Audit Policy settings.
Centralizing Event Logging for Windows Hosts
With Graylog, you can conveniently collect and analyze logs from various Windows Server services. Consider scenarios for auditing files and folders, tracking deletions, monitoring Remote Desktop connections, and recognizing system shutdown activities.
Graylog’s architecture makes it simple to manage Windows event logs and critical IDs that require monitoring. For more details on specific events and monitoring, you can refer to the Graylog documentation.
Utilizing centralized storage for Windows and Active Directory event logs significantly enhances your ability to investigate security incidents, analyze events, and troubleshoot issues efficiently.