Hi, I'm currently using Winlogbeat to send security logs from our Domain Controllers to Graylog. When the messages get there I'm seeing duplicates of every event.
For example a log off event on the DC itself is a single event, yet when I look at it in Graylog I see two entries. Both entries have the same winlogbeat_record_number so I'm pretty sure it's not Winlogbeat sending the event twice as I'd expect to see different record numbers. The Winlogbeat config file on the server is pretty simplistic; it just sends the security log to a single output. Has anyone come across this before? Currently we're using double the amount of disk space than we actually need and it makes statistics unreliable. Thanks, Adam -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/072180c3-4ec2-4206-9b17-4e6f45d6a361%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
