Hi, I’ve just gotten Graylog installed and I’m getting a fair bit of noise coming through and I’m looking to filter things out. Unfortunately the Windows Event is the logon event which I need so I can’t just drop everything with the Event ID 4624. What I’m looking for is something to drop events based on the “winlogbeat_event_data_TargetUserName” field. Basically if that field has a $ in it, I need to drop it.
From my research I understand this can be done with a pipeline but I can’t find any good examples with the drop_message set.
Graylog Infrastructure - All on 1 server.
Graylog Version - 3.0.1+de74b68, codename Space Moose