Hi, I’ve just gotten Graylog installed and I’m getting a fair bit of noise coming through and I’m looking to filter things out. Unfortunately the Windows Event is the logon event which I need so I can’t just drop everything with the Event ID 4624. What I’m looking for is something to drop events based on the “winlogbeat_event_data_TargetUserName” field. Basically if that field has a $ in it, I need to drop it.
From my research I understand this can be done with a pipeline but I can’t find any good examples with the drop_message set.
Graylog Infrastructure - All on 1 server.
Graylog Version - 3.0.1+de74b68, codename Space Moose
Something like this:
rule "drop the noise"
when
has_field("winlogbeat_event_data_TargetUserName") &&
contains("winlogbeat_event_data_TargetUsername", "$")
then
drop_message();
end
Alternatively you can switch the contains with:
regex(".*\\$$", to_string($message.winlogbeat_event_data_TargetUserName)).matches == true
To only drop messages where the $ is at the end of the username (I recall seeing something like that in another post asking about this particular event).
Thank you. That did the trick.
And yes the regex was what I was looking for. Can’t believe I couldn’t find the other thread.
Cheers
Jack
No worries, I couldn’t find it either, I think it was one of those “kinda related but unrelated” comments that I remembered from somewhere 
Glad to see it solved your issue though 
