Tested with Winlogbeat & Filebeat 7.12.1.0 / Windows 2022 / Windows 10 / Graylog 5.2.2
The Content Pack should be compatible with all Graylog 5.2.X version. This content pack contains configuration for Windows 10 Security Events, for Windows Server 2022 Security Event, For Active Directory, For Windows DNS & DHCP Server, for DFS Server.
Note this was built using filebeat and Winlogbeat as the log exporter. No inputs extractor were used, only pipeline rules.
Do not need additionnal Grok pattern, uses the default like WORD/GREEDYDATA etc..
You need to download manually the CSV.
Add it to your Graylog server in /srv. If different location, modify the content_pack.json to change location path (CTRL + F and replace all occurences with the desired path)
If you do not add it, some Dashboards will not display all infos, these CSV are used for Lookup Table to enrich data.
Be careful, by default Graylog Sidecar 1.5.0 embedd two bad binary version of Filebeat and Winlogbeat which are 8.9.0 and OpenSearch 2.X is not compatible ! The latest compatible version is 7.12.1. Replace the two binary with the 7.12.1 version.
Download filebeat archive and extract .exe
Download winlogbeat archive and extract .exe
You will need to generate an API Token for your Sidecar agent to be able to communicate with Graylog. Follow this Graylog guide if you don't know how.
By default, Graylog Sidecar does not embedd the Winlogbeat modules
C:\Program Files\Graylog\sidecar\module
Download the module folder on this project and add it to your computer/server.
Visit for more info
I've made some Dashboard based on Server names to filter in or out some event logged. You will need to adjust the filter based on your infrastructure.
Follow these instructions:
Search & replace (use Notepadd for example):
srv*
---> this filter means all Netbios name starting with srv (eg: srvdfs, srvad1, etc), I use it to show only computers data on dashboard by using NOT conditions, you should replace this filter with either the name of all of your servers or another field key which is easier to implement and that identify all servers.
srv*
by (name1 OR name2 OR name3)
where nameX is all your servers name(srvad1 OR srvad2)
--> on my test prod, I have 2 AD DC, I use a filter where I want to show data only from my 2 DC
(srvad1 OR srvad2)
by (DCname1 OR DCname2 OR DCname3)
where DCnameX is all your DC namesrvdfs1
--> on my test prod, I have a DFS Server hosting SAMBA Share, so I created a Dashboard to monitor files event for this server, if you don't have one you can ignore and delete the dashboard tab on the Web UI.
srvdfs1
by yourdfsname
if you have oneEurope/Paris
--> on my test prod, I'm in France so the Timezone is this one, if you are from another timezone, replace with the desired one
Europe/Paris
by Country/Town
timezone of your choicegraylog.lab.lan
--> it is my test domain FQDN, change it according to your server FQDN / IP Address, so that all sidecars are correctly configured to send data to your Graylog Server
graylog.lab.lan
by graylog.your.fqdn.com
which normally should correspond to the FQDN point to your graylog serverBy default, the Content Pack can't embeed Index, I recommand you to create one in order to separate Filebeat and Winlogbeat and so on. I don't think you want to have all data in the same index. It is like eating all the meal ingredient at the same time, it's difficult to recognize the taste of each.
And change the Index for the Winlogbeat stream.
Repeat the process for Filebeat.
And so on...