Skip to main content

Security Content Packs

Fortigate​

About Fortigate Log Collection:​

Fortinet's FortiGate is a next-generation firewall and products can cover traditional traffic and wireless traffic. The firewall is a hardware-based firewall and can include SSL inspection and web filtering and can work as an IPS. This technology pack will process Fortigate event log messages, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • Up to version 7.x

Not Supported:​

  • CEF format

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Fortigate Messages”

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Fortinet Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

date=2021-06-22 time=14:32:46 devname="ABCD-EFG-HIK-LMN-202-87-35-206" devid="FGA20E5Q16027714" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1624352568074022779 tz="+0530" srcip=x.x.x.x srcport=50198 srcintf="wan1" srcintfrole="wan" dstip=2.2.2.2 dstport=4510 dstintf="wan2" dstintfrole="wan" sessionid=2912907682 proto=6 action="close" policyid=32 policytype="policy" poluuid="5b3cd3ef-0fd0-51e7-1222-9c9e72bdfbba" service="4510" dstcountry="India" srccountry="India" trandisp="dnat" tranip=1.1.1.1 tranport=4510 duration=62 sentbyte=2049 rcvdbyte=2703 sentpkt=12 rcvdpkt=11 appcat="unscanned"

Requirements:​

  • Configure Fortigate to transmit Syslog to your Graylog server Syslog input

What is Provided:​

  • Parsing rules to extract Fortigate logs into Graylog schema compatible fields

Carbon Black / CB Defense​

About Carbon Black Log Collection:​

Carbon Black Defense is a next-gen antivirus (NGAV) and an endpoint detection and response solution (EDR) that allows security teams to monitor and detect threats instantly against their companies devices while at the same time giving the user a suite of tools that protects against most attacks including malware, ransomware, zero-day, and non-malware. This technology pack will process Carbon Black Defense logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • The current version (Oct 2021)--CB Defense does not have version numbers.

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Carbon Black Defense Messages”

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Carbon Black Defense Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

cbdefense1 CEF:0|CarbonBlack|CbDefense_Syslog_Connector|2.0|Active_Threat|A known virus (iWorm) is actively attempting a network connection.|7|rt="Apr 15 2016 13:11:37" sntdom=mycompany dvchost=iworm_test duser=iworm_test dvc= cs3Label="Link" cs3="https://testserver.company.net/ui#investigate/events/device/2004121/incident/UHMZ3" cs4Label="Threat_ID" cs4="UHMZ3" act=Alert

Requirements:​

What is Provided:​

  • Parsing rules to extract Carbon Black logs into Graylog schema compatible fields

CISCO ASA​

About Cisco ASA Log Collection:​

The Cisco ASA (Adaptive Security Appliances) is a multipurpose firewall appliance from Cisco and is usually used for packet filtering purposes, but it supports many additional features, such as stateful filtering, application inspection, NAT, DHCP, routing, VPN, etc. This technology pack will process Cisco ASA logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • Up to version 9.x

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Cisco Device Messages ”

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Cisco Devices Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

%ASA-6-305011: Built dynamic TCP translation from DL_172_16:x.x.x.x/1234 to L3_Internet:x.x.x.x/1234

Requirements:​

  • Configure CISCO ASA device(s) to transmit Syslog to your Graylog server Syslog input.

What is Provided:​

  • Parsing rules to extract Cisco ASA logs into Graylog schema compatible fields.

  • We currently support the following event IDs:

    • 106017 106021 106023 106100 106102 110002 110003 111008 111009 111010 113004 113008 113012 113019 113022 106001 106006 106016
    • 302010 302014 302016 302015 302013 302020 302021 304001 305006 305011 305012 313001 313005 315011 331002
    • 400010 400014 400011 400014 405001 410001
    • 500004 502103
    • 602304 602303 605005 607001 609001 609002 611101 611103 611102
    • 710002 710005 710003 710006 713041 713049 713120 713172 713201 713257 713903 713904 713905 721018 722023 722037 716002 722012 725002 725001 725003 725007 725016 733100 737016 746014 746015 746016 750002 750003 751002 752004 752010 752012 752015 769007

Symantec ProxySG​

About Symantec ProxySG Log Collection:​

Symantec ProxySG (Symantec Proxy Secure Gateway) is a next-generation web application firewall that delivers both comprehensive web security and WAN optimization. This technology pack will process ProxySG event log messages, providing normalization and enrichment of common events of interest.

Supported version(s):​

  • Up to version 9.x

Stream Configuration:​

This technology pack includes one stream:

  • "Illuminate:Bluecoat Messages”

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Bluecoat Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

1812 2018-02-10 18:00:12 "DP1-DE1_ProxySG" 888 x.x.x.x bob - - OBSERVED "Business/Economy" http://www.szlb.net/ 200 TCP_NC_MISS GET image/jpeg http www.szlb.net 80 /templets/default/images/wap/bg-gray1.jpg - jpg "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" x.x.x.x 4385 367 - - 0 "client" client_connector "-" "-" x.x.x.x - - - - - none - - - - none - - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - - - - 9eef3983b1d826f3-00000000c3a3468b-000000005a7f332b

Requirements:​

  • Configure the Symantec ProxySG appliance to transmit Syslog to your Graylog server Syslog input.

  • The Symantec ProxySG technology pack expects the fields in the following order, with the field x-bluecoat-request-tenant-id being optional:

    • x-bluecoat-request-tenant-id
    • date
    • time
    • x-bluecoat-appliance-name
    • time-taken
    • c-ip
    • cs-userdn
    • cs-auth-groups
    • x-exception-id
    • sc-filter-result
    • cs-categories
    • cs(Referer)
    • sc-status
    • s-action
    • cs-method
    • rs(Content-Type)
    • cs-uri-scheme
    • cs-host
    • cs-uri-port
    • cs-uri-path
    • cs-uri-query
    • cs-uri-extension
    • cs(User-Agent)
    • s-ip
    • sc-bytes
    • cs-bytes
    • x-data-leak-detected
    • x-virus-id
    • x-bluecoat-location-id
    • x-bluecoat-location-name
    • x-bluecoat-access-type
    • x-bluecoat-application-name
    • x-bluecoat-application-operation
    • r-ip
    • x-rs-certificate-validate-status
    • x-rs-certificate-observed-errors
    • x-cs-ocsp-error
    • x-rs-ocsp-error
    • x-rs-connection-negotiated-ssl-version
    • x-rs-connection-negotiated-cipher
    • x-rs-connection-negotiated-cipher-size
    • x-rs-certificate-hostname
    • x-rs-certificate-hostname-categories
    • x-cs-connection-negotiated-ssl-version
    • x-cs-connection-negotiated-cipher
    • x-cs-connection-negotiated-cipher-size
    • x-cs-certificate-subject
    • cs-icap-status
    • cs-icap-error-details
    • rs-icap-status
    • rs-icap-error-details
    • x-cloud-rs
    • x-bluecoat-placeholder
    • cs(X-Requested-With)
    • x-bluecoat-transaction-uuid

What is Provided:​

  • Parsing rules to extract Symantec ProxySG logs into Graylog schema compatible fields.

Cisco Meraki​

About Cisco Meraki Log Collection:​

Cisco Meraki is a hardware vendor and sells cloud-controlled security appliances (firewall), switches, and access points via a centralized managed platform. This technology pack will process Cisco Meraki logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • Up to MX16.9+

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Cisco Device Messages”

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Cisco Devices Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Examples:​

1 1619032507.590967163 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp translated_dst_ip=4.4.4.4

1 1619032507.495518695 DEVICE_NAME flows src=1.1.1.1 dst=2.2.2.2 protocol=udp sport=1900 dport=1900 pattern: 1 all

Requirements:​

  • Configure Cisco Meraki to transmit Syslog to your Graylog server Syslog input.

What is Provided:​

  • Parsing rules to extract Cisco Meraki logs into Graylog schema compatible fields.

O365​

About O365 Log Collection:​

Microsoft’s Office 365 provides cloud-based office apps like Word, Excel, and others. O365 Spotlight for Graylog Illuminate works with the Office 365 Log Events Enterprise Plugin to process Microsoft Office 365 logs by providing normalization and enrichment of common events. The Spotlight comes ready to use with several pre-built dashboard views including O365 Overview and tabs for Exchange, Azure Active Directory, and other O365 applications.

Supported Version(s):​

  • Current version of O365 as supported by Microsoft and the Graylog Office 365 Log Events Enterprise Plugin.

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:O365 Messages”

If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Microsoft Office365 Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"}

Requirements:​

What is Provided:​

Parsing rules to extract 0365 logs into Graylog schema compatible fields. Data lookup tables to assist in normalizing 0365 log messages into the Graylog schema Dashboards

Configuring an O365 Input:​

  1. On the Select Input drop-down menu, select System menu and then choose Inputs.
  2. Select Office 365 Log Events from the Select Input drop-down menu.
  3. Click Launch New Input.
  4. Assign a node or select Global mode.
  5. Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your O365 tenant.
  6. Click Verify Connection & Proceed.
  7. Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.
  8. Set the polling interval. (Graylog recommends starting with a polling interval of 3 minutes for the System Log API used by the Graylog O365 Log Events plugin.)
  9. This step is optional: Select Store Full Message. (This option consumes additional Graylog ingestion volume and storage requirements but may be required for compliance or other reasons.)
  10. Save the input settings.
  11. If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured O365 tenant.

Okta​

About Okta Log Collection:​

Okta is a cloud-based identity management service that provides access to a wide range of applications like Amazon, Google, box, Office 365, and others. This technology pack will process Okta logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • This version of the Okta Spotlight was tested with Okta API version 2021.04.1

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Okta Messages”

If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Okta System Logs”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

{"actor":{"id":"00uznmiqsr1UIPqr90h9","type":"User","alternateId":"test.user@graylog.com","displayName":"Test User","detailEntry":null},"client":{"userAgent":{"rawUserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36","os":"Windows 10","browser":"CHROME"},"zone":"null","device":"Computer","id":null,"ipAddress":"10.10.84.54","geographicalContext":{"city":"Dallas","state":"Mississippi","country":"United States","postalCode":"90210","geolocation":{"lat":40.969,"lon":-106.6034}}},"device":null,"authenticationContext":{"authenticationProvider":null,"credentialProvider":null,"credentialType":null,"issuer":null,"interface":null,"authenticationStep":0,"externalSessionId":"00uznmiqsr1UIPqr90h9"},"displayMessage":"User login to Okta","eventType":"user.session.start","outcome":{"result":"SUCCESS","reason":null},"published":"2021-10-18T20:49:24.126Z","securityContext":{"asNumber":null,"asOrg":null,"isp":null,"domain":null,"isProxy":null},"severity":"INFO","debugContext":{"debugData":{"requestId":"YW3d0-2p3-1iwOeHylXaAVXRCcE","origin":"https://test.graylog.net","requestUri":"/api/v0/authx","threatSuspected":"false","url":"/api/v0/authx?"}},"legacyEventType":"core.user_auth.login_success","transaction":{"type":"WEB","id":"YW3d0-2p3-1iwOeHylXaAVXRCcE","detail":{}},"uuid":"e05d81bb-3054-837b-11ec-9bf29b682db0","version":"0","request":{"ipChain":[{"ip":"10.10.84.54","geographicalContext":{"city":"Lakeside","state":"Omaha","country":"United States","postalCode":"90210","geolocation":{"lat":33.696,"lon":-104.0346}},"version":"V4","source":null}]},"target":null}

Requirements:​

  • A configured Okta Developer, Preview, or Custom Domain Organization
  • A user account in the Okta Organization with “Report Administrator” and “Organization Administrator” or higher permissions
  • (See “Create Okta API Token” and “Configuring an Okta Input” below.)

What is Provided:​

  • Parsing rules to extract Okta logs into Graylog schema compatible fields.
  • Data lookup tables to assist in normalizing Okta log messages into the Graylog schema
  • Dashboards

Create Okta API Token:​

Note

Okta API tokens have the same permissions as the user who creates them. If the user permissions change, the API token permissions also change. Consider creating a dedicated service account when creating an API token to limit the access level associated with the token.

To Create the API Token:​

  1. Log in to the Okta website using an Okta account that has been granted “Report Administrator” and “Organization Administrator” permissions (or higher) for the target Okta Organization.
    1. The Report Administrator role grants read-only access to reports and the Okta System Log.
    2. The Organization Administrator role is required to create the API key. This permission should be removed from the Okta account once setup is complete.
  2. Navigate to the Okta Admin page.
  3. Access the API page:
    1. If using the Developer Console, select Tokens from the API menu.
    2. If using the Administrator Console (Classic UI), select API from the Security menu, and then select Tokens.
  4. Click Create Token.
  5. Name the token and click Create Token.
    1. IMPORTANT: Record the token value and store it in a secure location. This is the only opportunity to see it and record it.
    2. OPTIONAL: It is recommended to remove any Okta Administrator roles other than “Report Administrator” from the account to be used for API access to system logs. This step limits use of the API key to read-only access to reduce the potential for misuse.

References:​

Okta: Creating an Okta API token Okta: Okta Report Administrator role

Linux Auditbeat​

About Linux Auditbeat Log Collection:​

Linux Auditbeat Spotlight for Graylog Illuminate works with Graylog Illuminate Core and Elastic Auditbeat for Linux. The Linux Auditbeat Spotlight comes ready to use with pre-built dashboard views including:

  • Linux Auditbeat Overview
  • Network Activity
  • Admin activity

These built-in views can serve as a starting point for creating custom dashboards.

Supported Version(s):​

This Spotlight was developed using Auditbeat for Linux version XX.X.

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Linux Auditbeat Messages”

If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Illuminate: Linux Auditbeat Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example:​

["type=CRED_ACQ msg=audit(1633670701.685:6873): pid=5205 uid=0 auid=4294967095 ses=4294970295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct=\"root\" exe=\"/usr/sbin/cron\" hostname=? addr=? terminal=cron res=success'"]

Requirements:​

  • A configured Beats input on Graylog server (See “Create Beats Input” below.)
  • A Graylog REST API Access Token (See “Create Graylog REST API Token” below.)
  • One or more Linux hosts with Graylog Sidecar configured to connect to the Graylog server.
  • One or more Linux hosts with Elastic Auditbeat installed.

What is Provided:​

  • Parsing rules to extract 0365 logs into Graylog schema compatible fields
  • Data lookup tables to assist in normalizing 0365 log messages into the Graylog schema
  • Dashboards

Create a Beats Input:​

Note

One Beats input can service multiple log sources; therefore, this step is not required if a Beats input has already been configured.

  1. On the Select Input drop-down menu, select the System menu and then choose Inputs.
  2. Select Beats from the Select Input drop-down menu.
  3. Click Launch New Input.
  4. Assign a node or select Global mode.
  5. Set the Title, Bind Address, and listening Port. For example:
    1. Title: “Beats input 5044”
    2. Bind address: “0.0.0.0” to listen on all interfaces
    3. Port: “5044”
  6. Make sure the option “Do not add Beats type as prefix” is not selected. Pipeline processing rules reference incoming data by field name and the pipeline will not function correctly if this prefix is omitted.
  7. Save the input settings.
  8. If the input does not start automatically, select Start Input to begin listening for and processing new Beats messages (including Linux Auditbeat messages).

Create Graylog REST API Token:​

  1. Navigate to the Graylog user configuration menu by selecting System > Users and Teams.
  2. Select the user for which to create a token and click More Actions and then Edit Tokens.
  3. Provide a Token Name (e.g. linux_auditbeat) and click Create Token.
  4. Once the token is created, click Copy to Clipboard to retrieve the new API Access Token.

References:​

Install and Configure Graylog Sidecar Agent for Linux:​

Note

There are many possible variations and options when installing Graylog Sidecar. This document provides only a brief summary of the essential procedures. Consult official documentation for full explanations and instructions.

  1. Install the Graylog Sidecar components. Example commands include:
$ wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-2_all.deb
$ sudo dpkg -i graylog-sidecar-repository_1-2_all.deb
$ sudo apt-get update && sudo apt-get install graylog-sidecar
  1. Edit the Sidecar configuration file and activate the Sidecar as a system service. Example commands include:
$ vi /etc/graylog/sidecar/sidecar.yml (required values include server_url and server_api_token)
$ sudo graylog-sidecar -service install
$ sudo systemctl start graylog-sidecar

References:​

Palo Alto​

About Palo Alto Log Collection:​

Palo Alto is a next-generation firewall that provides real-time (line-rate, low-latency) content scanning to protect users against malicious attacks that include viruses, spyware, data leakage, and application vulnerabilities based on a stream-based threat prevention engine. This technology pack will process Palo Alto logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • Version 9.1+

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Palo Alto Messages”

Index Set Configuration:​

This technology pack includes one index set definition:

  • ”Palo Alto Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Requirements:​

  • Supported Palo Alto device sending logs to the Graylog input “Palo Alto Networks TCP (PAN-OS v9+)”

What is Provided:​

  • Parsing rules to extract Palo Alto logs into Graylog schema compatible fields
  • Graylog Information Model message categorization
  • Illuminate Spotlight

Sysmon​

About Microsoft Sysmon Log Collection:​

Microsoft Sysmon is a free agent that can be installed on Windows systems and configured to provide rich details about events of particular interest when performing security monitoring of systems. This technology pack will process all Sysmon event log messages produced by recent and current versions of Sysmon. This technology pack will process Sysmon logs, providing normalization and enrichment of common events of interest.

Supported Version(s):​

  • Sysmon version 12 later.

Stream Configuration:​

This technology pack includes one stream:

  • “Illuminate:Sysmon;Messages”, which will contain all events collected from the Sysmon event log

Index Set Configuration:​

This technology pack includes one index set definition:

  • “Sysmon Event Log Messages”, which contains all messages from the Windows Sysmon event log.

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Requirements:​

  • Sysmon event logs delivered to graylog via Winlogbeat 7.x or NXLog 2.10

Log Delivery Configuration:​

The log delivery agent, either Winlogbeat or NXLog, must be configured to collect Sysmon events from the Windows event log service. Examples are listed below but please refer to the agent’s configuration documentation to properly configure the log delivery agent to support your requirements.

Agent Configuration - Winlogbeat 7.x:​

  1. Under the event_logs: section of the Winlogbeat configuration, add the line:
    • name: Microsoft-Windows-Sysmon/Operational

Agent Configuration - NXLog 2.10:​

  1. In the QueryXML section of the NXLog configuration, add the following:

    • <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>

What is Provided:​

  • Parsing rules to extract Sysmon logs into Graylog schema compatible fields
  • Graylog Information Model message categorization
  • Illuminate spotlight

Events Processed by This Technology Pack:​

  • The Sysmon technology pack will process all Sysmon event IDs.

Windows Event Logs​

About Windows Event Log Collection:​

This technology pack will process Windows Security event logs, providing normalization and enrichment of common events of interest. In addition, it will identify all Windows logs that have not been processed by any other technology pack, normalize common event log fields, and index these messages in a separate index.

Supported Version(s):​

  • Currently supported version of the Windows operating system

Requirements:​

  • Event logs delivered to Graylog via Winlogbeat 7.x or NXLog 2.10

Stream Configuration:​

This technology pack includes two streams:

  • “Illuminate:Windows Security Event Log Messages,” which contains all messages from the Windows Security event log

  • “Illuminate:Windows Event Log Messages,” which will contain all event log messages that have not been processed by this or any other technology pack

Index Set Configuration:​

This technology pack includes two index set definitions:

  • “Windows Security Event Log Messages,” which contains all messages from the Windows Security event log
  • “Windows Event Log Messages,” which will contain all event log messages that have not been processed by this or any other technology pack

If these index sets are already defined, then nothing will be changed. If these index sets do not exist, then they will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided:​

  • Parsing and normalization to extract Windows event logs into Graylog schema compatible fields
  • Graylog Information Model categorization of messages
  • Illuminate Spotlight

Events Processed by This Technology Pack:​

The Windows Security technology pack will apply normalization of common event log fields, such as Event ID, to all Windows event log messages. The Windows Security technology pack will provide normalization and enrichment to the following Windows security event log IDs:

110011011102110446164624
462546344647464846724688
468947204721472247234724
472547264727472847294730
473147324733473447354737
473847404741474247434754
475547564757475847644767
476947704771477647784779
478147984779478147984799
48204821482248234824