Can I drop events based on the Process Name?

Kyriakos · March 14, 2023, 11:53am

Hello,

I am try to configure my WinlogBeat configuration and I have the following issue.
I try to drop some events based on their processName but it does not work.

I have found the following fields here provided from elastic. I tried all of them but the events do not drop:

- winlog.event_data.NewProcessName
- winlog.event_data.ProcessName
- winlog.event_data.LogonProcessName

Here is my config file:
##########################################
  - name: Security
    event_id: -4672
    processors:
        - drop_event:
            when.and:
                - equals:
                    winlog.event_id: '4799'
                    winlog.event_data.ProcessName: 'C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe'

##################################################
and here is from server event viewer:

Is there any way to filter with CallerProcessName?
The other way to filter with CallerProcessId but is it dynamically or static? Because I want to use the same configuration file to a lot of servers.

Thanks,

tmacgbay · March 14, 2023, 1:50pm

First, Please use the </> tool when you post code. yml and config code is very sensitive to spacing and it’s impossible to tell unless you use the Preformatted text tool. Fortunately I can adjust your post for it…

I had a situation similar to yours where I wanted to drop a process name and I seemed to recall it didn’t work… so I switched to regex:

- regexp.winlog.event_data.ProcessName: 'bigX\.whorlee\.exe$'

This would catch a process that ends (using the regex end of line $) in bigX.shorlee.exe

put together with proper indentation and other misc stuff I have in the configuration:

   - name: Security
     processors:
       - drop_event.when:
           or:
             - equals.winlog.event_id: "1234"
             - equals.winlog.event_id: "5678"
       - drop_event.when:
           and:
             - equals.winlog.event_id: "9102"
             - regexp.winlog.event_data.SubjectUserName: '.*\$$'
       - drop_event.when:
           and:
             - equals.winlog.event_id: "1001"
             - equals.winlog.event_data.SubjectUserName: "BigBrotha"
       - drop_event.when:
           and:
             - equals.winlog.event_id: "0110"
             - equals.winlog.event_data.TargetUserName: "LilBrotha"
             - regexp.winlog.event_data.ProcessName: 'bigX\.whorlee\.exe$'

system · March 28, 2023, 1:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter on WinlogBeat configuration. EventID & SubjectUserSid Graylog Central (peer support) winlogbeat	6	758	March 27, 2023
Drop "same events within 1 secound" Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	5	698	December 17, 2019
Change Winlogbeat Field Names Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	5	2480	April 4, 2017
Firlter Event ID's from Event Viewer (only from PC) Graylog Central (peer support) nxlog	7	1742	July 25, 2022
Constructing pipeline rules Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	3	547	September 5, 2018

Can I drop events based on the Process Name?

Related Topics