Can I drop events based on the Process Name?

Kyriakos · March 14, 2023, 11:53am

Hello,

I am try to configure my WinlogBeat configuration and I have the following issue.
I try to drop some events based on their processName but it does not work.

I have found the following fields here provided from elastic. I tried all of them but the events do not drop:

- winlog.event_data.NewProcessName
- winlog.event_data.ProcessName
- winlog.event_data.LogonProcessName

Here is my config file:
##########################################
  - name: Security
    event_id: -4672
    processors:
        - drop_event:
            when.and:
                - equals:
                    winlog.event_id: '4799'
                    winlog.event_data.ProcessName: 'C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe'

##################################################
and here is from server event viewer:

Is there any way to filter with CallerProcessName?
The other way to filter with CallerProcessId but is it dynamically or static? Because I want to use the same configuration file to a lot of servers.

Thanks,

tmacgbay · March 14, 2023, 1:50pm

First, Please use the </> tool when you post code. yml and config code is very sensitive to spacing and it’s impossible to tell unless you use the Preformatted text tool. Fortunately I can adjust your post for it…

I had a situation similar to yours where I wanted to drop a process name and I seemed to recall it didn’t work… so I switched to regex:

- regexp.winlog.event_data.ProcessName: 'bigX\.whorlee\.exe$'

This would catch a process that ends (using the regex end of line $) in bigX.shorlee.exe

put together with proper indentation and other misc stuff I have in the configuration:

   - name: Security
     processors:
       - drop_event.when:
           or:
             - equals.winlog.event_id: "1234"
             - equals.winlog.event_id: "5678"
       - drop_event.when:
           and:
             - equals.winlog.event_id: "9102"
             - regexp.winlog.event_data.SubjectUserName: '.*\$$'
       - drop_event.when:
           and:
             - equals.winlog.event_id: "1001"
             - equals.winlog.event_data.SubjectUserName: "BigBrotha"
       - drop_event.when:
           and:
             - equals.winlog.event_id: "0110"
             - equals.winlog.event_data.TargetUserName: "LilBrotha"
             - regexp.winlog.event_data.ProcessName: 'bigX\.whorlee\.exe$'

system · March 28, 2023, 1:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Deleting event logs before Elasticsearch Graylog Central (peer support) sidecar , winlogbeat	4	1170	April 29, 2019
How to filter on WinlogBeat configuration. EventID & SubjectUserSid Graylog Central (peer support) winlogbeat	6	1127	March 27, 2023
Winlogbeat Collector Configuration Not Working Graylog Central (peer support) winlogbeat	3	667	March 25, 2023
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8525	March 22, 2018
Windows Event (Winlogbeat) Exclude User Graylog Central (peer support) sidecar , winlogbeat	8	2229	March 16, 2021

Can I drop events based on the Process Name?

Related topics