Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows Server 2022 / Collecting Windows and Active Directory Event Logs with Graylog

February 7, 2025

Collecting Windows and Active Directory Event Logs with Graylog

In the previous post, we covered how to deploy a centralized log collection and management service based on the Graylog stack (Graylog + OpenSearch + MongoDB). Now let’s cover how to send Event Viewer logs from Windows hosts (including Active Directory domain controller events) to Graylog collector.

Contents:
  • Configuring Graylog Data Collector for Windows Devices
  • Winlogbeat: Sending Windows Event Logs to Graylog
  • Collect Active Directory Domain Controller Event Logs with Graylog
  • Centralizing Event Logging for Windows Hosts

Configuring Graylog Data Collector for Windows Devices

Go to System -> Inputs and add a new Windows Server Devices collector with type Beats that listens on port TCP:5044

Create data collector for Windows device logs on Graylog

Then create a separate index for Windows Event logs. Based on the new Input and index, create a new Windows stream (under the Streams section) and run it.

Create separate index for Windows devices

Winlogbeat: Sending Windows Event Logs to Graylog

To send EventViewer logs on Windows hosts to the Graylog server, use the Winlogbeat log collector service. Winlogbeat is the open-source part of the ELK stack. The Winlogbeat service must be installed on each Windows host whose events you want to see on the Graylog.

  1. Download the Winlogbeat archive from the download page (https://www.elastic.co/downloads/beats/winlogbeat)
  2. Extract the archive to a folder C:\Program Files\winlogbeat
  3. Edit the winlogbeat.yml configuration file.

In the simplest case, use the following configuration, where all events from the Application, Security, and System Event logs will be sent to the specified Graylog server

Note that Winlogbeat’s configuration file uses YAML syntax, so you need to be careful with spaces and indentations.
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
output.logstash:
  hosts: ["192.168.14.146:5044"]

Winlogbeat configuration file in YAML format

Use more flexible filtering to get only the event logs you need. For example, use the following configuration to collect events with specific severity levels and EventID numbers:

---
winlogbeat.event_logs:
  - name: Security
    event_id: 4627, 4703, 4780-4782
    ignore_older: 24h
    level: critical, error
  - name: Microsoft-Windows-TerminalServicesRDPClient/Operational
    event_id: 1102
See examples of typical winlogbeat.yml configuration for Windows Server.

Save the winlogbeat.yml file. Check that the Winlogbeat configuration is correct and that the log collector service is available:

cd "C:\Program Files\winlogbeat"
./winlogbeat test config
./winlogbeat test output

check winlogbeat configuration on windows

Install and start the winlogbeat service if everything is OK:

.\install-service-winlogbeat.ps1
Start-Service winlogbeat

install winlogbeat service

Go to the Graylog Server web interface and check that events from your Windows servers have started to appear in the corresponding stream.

Windows device logs in Graylog

Collect Active Directory Domain Controller Event Logs with Graylog

Let’s take a look at how to use the Graylog server to search and analyze Windows events. We’ll use the events of the Active Directory domain controller as an example.

Suppose there are several additional domain controllers in Active Directory. In that case, it can be difficult for administrators to find a specific event because they have to check the logs on each DC. However, a central log collector server on Graylog that stores events from all DCs can find any event in seconds.

For example, you may need to identify the computer where the user account was locked because of an incorrect password. To do this, open the Graylog filter prompt, select the desired Stream, or specify it in the query code (streams:xxxxxxxxxxxxx) and run the following query:

winlogbeat_event_code:(4740 OR 4625) AND winlogbeat_event_provider:Microsoft\-Windows\-Security\-Auditing

Graylog query prompt to search for specific event IDs

The Graylog server will quickly find the event that you are looking for. Under its properties you will see the the computer from which the account was locked.

Here are some more examples of searching for different events in Active Directory:

  • Event ID 4767 – find out who unlocked the AD user
  • Event ID 4724 – who/when reset the domain user’s password
  • Event ID 4720 – who and when created a new user in AD; 4722 – account enabled, 4725 – disabled, 4726 – user deleted.
  • Tracking changes to Active Directory group membership: 4727 (new group created), 4728 (user added to group), 4729 (user removed from group), 4730 (security group removed)
  • Event ID 5137 (new domain Group Policy/GPO created), 5136 (GPO changed), 5141 (GPO removed)
  • Event ID 4624 — successful domain user logon event (allows to quickly view the login history of AD user)

Ensure that the Winlogbeat agents are configured to send logs on each Domain Controller (list the active DCs using the Get-ADDomainController cmdlet). The collection of some Active Directory security events must be enabled in the Audit Policy settings in the Default Domain Controller policy.

You can create saved queries and dashboards in Graylog to quickly find the events that interest you. Gralog notifications can be used to alert administrators about critical events in AD.

Centralizing Event Logging for Windows Hosts

Graylog provides convenient collection, storage, retrieval, and analysis of events from other Windows Server services. The following are examples of different scenarios where an administrator might need to search through the Windows event logs.

  • Audit file and folder access events on a file server
  • Track the deletion of files/folders in a shared folder
  • Audit changes made to file and folder permissions in Windows
  • Tracking Remote Desktop (RDP) connection logs
  • Detect RDP brute force attacks on Windows
  • How to find out who shutdown or restarted a computer: winlogbeat_event_code:1074
  • Response to the clearing of the event logs (may indicate a possible compromise of the Windows Server)
  • Get alerted when the built-in Windows Defender antivirus detects a virus on one of your Windows Server hosts (Event ID 1006, 1116).

The fast and simple Graylog collector makes it easy to search and filter events in Windows logs. See this post on the Graylog site to get started monitoring critical event IDs on Windows hosts.

Searching Windows event logs in raylog

Centralized storage of Windows and Active Directory event logs makes it easy to quickly investigate and respond to information security incidents, analyze infrastructure events, and troubleshoot problems.

0 comment
4
Facebook Twitter Google + Pinterest
Active DirectoryWindows Server 2022
previous post
Unable to Select Edition During Windows 10/11 Installation
next post
Remote Desktop fix: The number of connections to this computer is limited

Related Reading

Adding Multiple Alternate DNS Names for a Windows...

September 3, 2024

Exclude a Specific User or Computer from Group...

March 16, 2025

Deploying Third Party Software Updates with WSUS

February 20, 2024

Fix: The referenced assembly could not be found...

March 25, 2025

How to Prefer IPv4 over IPv6 in Windows...

April 15, 2025

Prevent Server Manager from Starting at Logon on...

April 11, 2024

Fix: Remote Desktop (RDP) Session Freezes (Disconnects) on...

March 18, 2024

Send a WhatsApp Message from the CommandLine (Shell)

December 3, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • Exclude a Specific User or Computer from Group Policy
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
  • Unlocking Active Directory User Accounts
  • How to Block Common (Weak) Passwords in Active Directory
  • Configure NTP Time Source for Active Directory Domain
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top