I carried out some additional testing by downloading the same version of the Winlogbeat application (1.2.3) from the Elastic website and running it via the CLI. I noticed that the duplicates were gone, so I tried again running the Graylog version manually and again only saw single events. Finally I started the Graylog collector sidecar service and again only saw single events.
What's different? I don't know...other than the fact that when I started the sidecar service this time I noticed that the .winlogbeat.yml file appeared. Based on that I went looking for the .winlogbeat.yml file on my DCs and discovered they were in the root of the C drive. Winlogbeat was throwing up errors saying that it couldn't access the file so I added a snipped to the configuration to specify that the registry file is stored in the same location as winlogbeat.exe. So far so good. It's odd though as the default location if you don't specify the path is meant to be the same folder as the winlogbeat.exe file; is that something that should be logged as a bug? For the moment the problem looks to be fixed, but I'll keep an eye on it. Cheers, Adam On Wednesday, November 2, 2016 at 5:12:21 PM UTC, Adam wrote: > > I'd actually renamed it, but as a test I moved it to a different location > and the problem is still there. > > At the moment I only have one Graylog server node (with three > Elasticsearch nodes). > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/14a8ea17-283c-41d2-b8fe-9fef5ad7504c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
