Deleting event logs before Elasticsearch

#1

Hi, I’ve just gotten Graylog installed and I’m getting a fair bit of noise coming through and I’m looking to filter things out. Unfortunately the Windows Event is the logon event which I need so I can’t just drop everything with the Event ID 4624. What I’m looking for is something to drop events based on the “winlogbeat_event_data_TargetUserName” field. Basically if that field has a $ in it, I need to drop it.

From my research I understand this can be done with a pipeline but I can’t find any good examples with the drop_message set.

Graylog Infrastructure - All on 1 server.
Graylog Version - 3.0.1+de74b68, codename Space Moose

0 Likes

(Ben van Staveren) #2

Something like this:

rule "drop the noise"
when
    has_field("winlogbeat_event_data_TargetUserName") &&
    contains("winlogbeat_event_data_TargetUsername", "$")
then
    drop_message();
end

Alternatively you can switch the contains with:

regex(".*\\$$", to_string($message.winlogbeat_event_data_TargetUserName)).matches == true

To only drop messages where the $ is at the end of the username (I recall seeing something like that in another post asking about this particular event).

2 Likes

#3

Thank you. That did the trick.
And yes the regex was what I was looking for. Can’t believe I couldn’t find the other thread.

Cheers
Jack

0 Likes

(Ben van Staveren) #4

No worries, I couldn’t find it either, I think it was one of those “kinda related but unrelated” comments that I remembered from somewhere :slight_smile: Glad to see it solved your issue though :smiley:

0 Likes