update to support WLB8

graylog-labs · Oct 23, 2023 · 8e05175 · 8e05175
1 parent 26a8710
commit 8e05175
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/Collectors/winlogbeat_illuminate_sysmon.yml b/Collectors/winlogbeat_illuminate_sysmon.yml
@@ -1,13 +1,8 @@
-# Needed for Graylog
-fields_under_root: true
-fields.collector_node_id: ${sidecar.nodeName}
-fields.gl2_source_collector: ${sidecar.nodeId}
-
 output.logstash:
-   hosts: ["<HOST>:PORT"]
+   hosts: ["<HOST>:<PORT>"]
 path:
-  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
-  logs: C:\Program Files\Graylog\sidecar\logs
+  data: C:\Work\Tools\winlogbeat-8.9.1-windows-x86_64\cache\data
+  logs: C:\Work\Tools\winlogbeat-8.9.1-windows-x86_64\cache\logs
 tags:
  - windows
 winlogbeat.event_logs:
@@ -17,6 +12,7 @@ winlogbeat.event_logs:
 
   # Account login: Successful, Failed, logged off, loggon using explicit credentials
   - name: Security
+    id: Security-Logon-Events
     event_id: 4616, 4624, 4625, 4634, 4647, 4648, 4688
     level: info
     ignore_older: 48h
@@ -25,6 +21,7 @@ winlogbeat.event_logs:
 
 # Active Directory Monitoring: User account created, A user account was enabled, An attempt was made to change the password of an account, A user account was disabled,A user account was changed, A user account was locked out,A user account was unlocked
   - name: Security
+    id: Security-Account-Events
     event_id:  4720-4727
     level: info
     ignore_older: 48h
@@ -33,6 +30,7 @@ winlogbeat.event_logs:
 
 # Active directory Monitoring Group:A user was added to a privileged global group, 	A user was added to a privileged local group, A user was added to a privileged universal group, A privileged local group was modified, A privileged global group was modified, A privileged universal group was modified
   - name: Security
+    id: Security-Group-Events
     event_id:   4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740-4743, 4754-4758, 4764, 4767, 4769
     level: info
     ignore_older: 48h
@@ -41,6 +39,7 @@ winlogbeat.event_logs:
 
  # Active directory Kerberos:A Kerberos authentication ticket request failed
   - name: Security
+    id: Security-Kerberos-Events
     event_id:   4770-4773, 4768, 4769
     level: info
     ignore_older: 48h
@@ -49,6 +48,7 @@ winlogbeat.event_logs:
 
    # Active directory RDP: 
   - name: Security
+    id: Security-RDP-Events
     event_id:  1024, 1100, 1101, 1102, 1103, 1104, 1149, 98, 131, 21, 22, 25 
     level: info
     ignore_older: 48h