Looks like I spoke too soon as the duplicates are back. I did notice that the registry file gets recreated back on the root of the C drive, so I guess the graylog-collector executable is doing that via whatever command it uses to start Winlogbeat. That's still an issue as the process doesn't have rights to read that file by default. Anyone else noticed that?
So yeah back to the drawing board for now. On Thursday, November 3, 2016 at 2:59:25 PM UTC, Adam wrote: > > I carried out some additional testing by downloading the same version of > the Winlogbeat application (1.2.3) from the Elastic website and running it > via the CLI. I noticed that the duplicates were gone, so I tried again > running the Graylog version manually and again only saw single events. > Finally I started the Graylog collector sidecar service and again only saw > single events. > > What's different? I don't know...other than the fact that when I started > the sidecar service this time I noticed that the .winlogbeat.yml file > appeared. > > Based on that I went looking for the .winlogbeat.yml file on my DCs and > discovered they were in the root of the C drive. Winlogbeat was throwing > up errors saying that it couldn't access the file so I added a snipped to > the configuration to specify that the registry file is stored in the same > location as winlogbeat.exe. So far so good. > > It's odd though as the default location if you don't specify the path is > meant to be the same folder as the winlogbeat.exe file; is that something > that should be logged as a bug? For the moment the problem looks to be > fixed, but I'll keep an eye on it. > > Cheers, > > Adam > > On Wednesday, November 2, 2016 at 5:12:21 PM UTC, Adam wrote: >> >> I'd actually renamed it, but as a test I moved it to a different location >> and the problem is still there. >> >> At the moment I only have one Graylog server node (with three >> Elasticsearch nodes). >> >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0b40bff3-2b3b-4159-8b7e-951e7aa65659%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
