Windows Events missing when using v1.1.0

Graylog2 / collector-sidecar

Manage log collectors through Graylog

https://www.graylog.org/

Other

268 stars 56 forks source link

Windows Events missing when using v1.1.0 #410

Closed mmahacek closed 3 years ago

mmahacek commented 3 years ago

Problem description

After upgrading from v1.0.2 to v1.1.0, we noticed that Windows account lockout (event 4740) were no longer being stored in graylog. After reverting the collector back to 1.0.2, the events started flowing again. No other config changes were made.

Steps to reproduce the problem

Upgrade collector to v1.1.0
Windows security event ID 4740 no longer shows up in Graylog

Environment

Sidecar Version: 1.1.0
Graylog Version: 4.0.5
Operating System: Windows 2016/2019
Elasticsearch Version: 7.11
MongoDB Version: 4.0.23

kroepke commented 3 years ago

I believe the default winlogbeat version was updated in 1.1.0, can you check whether there are processing errors? Sounds like a schema collision.

tmacgbay commented 3 years ago

I am running Sidecar 1.1.0 on a Windows 2012R2 server and was able to trap/alert on eventID 4740. Just tested it now.

Sidecar 1.1.0 Graylog 4.0.5 (On Ubuntu) MongoDB 4.0.23 Elastic 7.11.1

danielbastos-it commented 3 years ago

I noticed that the variable names were changed from winlogbeat_event_id to winlogbeat_winlog_event_id. This change broke my dashboards and alerts. Did you check for this?

mmahacek commented 3 years ago

Yes, I searched for the number 7470 across all available fields. Other events are showing up in the stream.

As a side note, I have changed jobs and no longer have access to the original system for doing further testing.

danielbastos-it commented 3 years ago

I changed all my dashboards, alerts, and queries after this update to 1.1.0

I consider it totally absurd to change the names of the variables and not maintain backward compatibility with the previous version. It looks like a beginner's job or someone who has no concern for their customers.

malcyon commented 3 years ago

Looks like there was a field name schema change in Beats 7.0:

https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html

mmahacek commented 3 years ago

My original issue is not related to the field name change. Winlogbeat was not creating Graylog messages for Windows Event ID 4740 under any field name. With Sidecar v1.1.0, a search of 4740 found no results in any field of any collector.