Constructing pipeline rules


(Ashwath Kumar) #1

I don’t have any idea on constructing pipeline rules, can any one help me to construct a rule to drop the log if it has EventID:4656 and the filed ProcessName has “C:\Windows\System32\svchost.exe”.

Full Message:

A handle to an object was requested.

Subject:
Security ID: S-1-5-18
Account Name: intelli$
Account Domain: intelli
Logon ID: 0x3e7

Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0

Process Information:
Process ID: 0x328
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)

Access Reasons:		-
Access Mask:		0x2
Privileges Used for Access Check:	-
Restricted SID Count:	0

This will be a great help.

Thank you
Ashwath Kumar R


(Megan) #2

Ashwath:

Is there any reason you wouldn’t do this via the winlogbeat configuration instead of a pipeline? While possible with pipelines, it would be more efficient in my opinion to do it via the winlogbeat config so that the logs never even get passed from the host to graylog.

  • Megan

(Ashwath Kumar) #3

Hi Megan,

Thanks for the input, it really helped. I didn’t think that option initially. I am using nxlog to forward the logs to Graylog server and I configured it to drop the message content.

Ashwath Kumar R


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.