Closed mmahacek closed 3 years ago
I believe the default winlogbeat version was updated in 1.1.0, can you check whether there are processing errors? Sounds like a schema collision.
I am running Sidecar 1.1.0 on a Windows 2012R2 server and was able to trap/alert on eventID 4740. Just tested it now.
Sidecar 1.1.0 Graylog 4.0.5 (On Ubuntu) MongoDB 4.0.23 Elastic 7.11.1
I noticed that the variable names were changed from winlogbeat_event_id to winlogbeat_winlog_event_id. This change broke my dashboards and alerts. Did you check for this?
Yes, I searched for the number 7470 across all available fields. Other events are showing up in the stream.
As a side note, I have changed jobs and no longer have access to the original system for doing further testing.
I changed all my dashboards, alerts, and queries after this update to 1.1.0
I consider it totally absurd to change the names of the variables and not maintain backward compatibility with the previous version. It looks like a beginner's job or someone who has no concern for their customers.
Looks like there was a field name schema change in Beats 7.0:
https://www.elastic.co/guide/en/beats/libbeat/7.x/breaking-changes-7.0.html
My original issue is not related to the field name change. Winlogbeat was not creating Graylog messages for Windows Event ID 4740 under any field name. With Sidecar v1.1.0, a search of 4740
found no results in any field of any collector.
Problem description
After upgrading from v1.0.2 to v1.1.0, we noticed that Windows account lockout (event 4740) were no longer being stored in graylog. After reverting the collector back to 1.0.2, the events started flowing again. No other config changes were made.
Steps to reproduce the problem
Environment