{"id":10611,"date":"2025-02-07T17:01:01","date_gmt":"2025-02-07T17:01:01","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/a-comprehensive-guide-to-collecting-windows-and-active-directory-event-logs-using-graylog\/"},"modified":"2025-02-07T17:01:01","modified_gmt":"2025-02-07T17:01:01","slug":"a-comprehensive-guide-to-collecting-windows-and-active-directory-event-logs-using-graylog","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/a-comprehensive-guide-to-collecting-windows-and-active-directory-event-logs-using-graylog\/","title":{"rendered":"A Comprehensive Guide to Collecting Windows and Active Directory Event Logs Using Graylog"},"content":{"rendered":"

In a previous post, we discussed deploying a centralized log collection and management service using the Graylog stack (Graylog + OpenSearch + MongoDB). This article will guide you on sending Event Viewer logs from Windows hosts, including Active Directory domain controller events, to Graylog.<\/p>\n

Configuring Graylog Data Collector for Windows Devices<\/h2>\n

To start, navigate to System<\/strong> -> Inputs<\/strong> in the Graylog interface. Add a new collector for Windows Server Devices<\/strong> with the type set to Beats<\/strong> listening on TCP port 5044. Create a separate index for Windows Event logs and establish a new Windows stream based on the new input and index.<\/p>\n

Winlogbeat: Sending Windows Event Logs to Graylog<\/h2>\n

To send EventViewer logs from Windows hosts to the Graylog server, utilize the Winlogbeat<\/strong> log collector service, which is part of the ELK stack. Install Winlogbeat on each Windows host you wish to monitor.<\/p>\n

    \n
  1. Download the Winlogbeat archive from the download page<\/a>.<\/li>\n
  2. Extract the contents to C:Program Fileswinlogbeat<\/code>.<\/li>\n
  3. Edit the winlogbeat.yml<\/strong> configuration file.<\/li>\n<\/ol>\n

    In its simplest form, your configuration should send events from the Application, Security, and System Event logs:<\/p>\n

    winlogbeat.event_logs:  - name: Application    ignore_older: 72h  - name: Security  - name: Systemoutput.logstash:  hosts: ["192.168.14.146:5044"]<\/code><\/pre>\n
    For more specific logging, you can configure it to collect selected events based on severity levels and EventIDs. After editing the configuration, verify its correctness and ensure the log collector service is running.<\/p>\n
    cd "C:Program Fileswinlogbeat".winlogbeat test config.winlogbeat test output<\/code><\/pre>\n
    If successful, install and start the Winlogbeat service:<\/p>\n
    .install-service-winlogbeat.ps1Start-Service winlogbeat<\/code><\/pre>\n
    Check the Graylog web interface to confirm that your Windows server logs are appearing in the designated stream.<\/p>\n
    Collect Active Directory Domain Controller Event Logs with Graylog<\/h2>\n
    Graylog allows you to search and analyze Windows events effectively with Active Directory as an example. If multiple domain controllers exist, the centralized log collector simplifies the process of identifying specific events.<\/p>\n
    To find out, for instance, which computer locked a user account due to incorrect password attempts, you can run a query in Graylog:<\/p>\n
    winlogbeat_event_code:(4740 OR 4625) AND winlogbeat_event_provider:Microsoft-Windows-Security-Auditing<\/code><\/pre>\n
    This centralized logging helps in quickly identifying significant events like user password resets or account creations using specific EventIDs, such as:<\/p>\n