Deleting event logs before Elasticsearch

Hi, I’ve just gotten Graylog installed and I’m getting a fair bit of noise coming through and I’m looking to filter things out. Unfortunately the Windows Event is the logon event which I need so I can’t just drop everything with the Event ID 4624. What I’m looking for is something to drop events based on the “winlogbeat_event_data_TargetUserName” field. Basically if that field has a $ in it, I need to drop it.

From my research I understand this can be done with a pipeline but I can’t find any good examples with the drop_message set.

Graylog Infrastructure - All on 1 server.
Graylog Version - 3.0.1+de74b68, codename Space Moose

Something like this:

rule "drop the noise"
when
    has_field("winlogbeat_event_data_TargetUserName") &&
    contains("winlogbeat_event_data_TargetUsername", "$")
then
    drop_message();
end

Alternatively you can switch the contains with:

regex(".*\\$$", to_string($message.winlogbeat_event_data_TargetUserName)).matches == true

To only drop messages where the $ is at the end of the username (I recall seeing something like that in another post asking about this particular event).

Thank you. That did the trick.
And yes the regex was what I was looking for. Can’t believe I couldn’t find the other thread.

Cheers
Jack

No worries, I couldn’t find it either, I think it was one of those “kinda related but unrelated” comments that I remembered from somewhere Glad to see it solved your issue though

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.