Drop event_id how to

Graylog Central (peer support)
,
1

I have graylog setup and passing data from my PC to my server using winlogbeats. I am getting all events sent to my server. My question is how to I filter out events I do not want? I do not want all events, I want to exclude events and I have not a clue how.

here is my server.conf

fields:
  collector_node_id: graylog-collector-sidecar
  gl2_source_collector: c8053970-6140-438c-babb-11525d7c594a
output:
  logstash:
    hosts:
    - 192.168.2.250:5044
path:
  data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data
  logs: C:\Program Files\graylog\collector-sidecar\logs
tags:
- windows
- iis
winlogbeat:
  event_logs:
  - name: Application
  - name: System
  - name: Security
          
          
processors:
 - drop_event:
	- when:
	- equals:
	- event_id:5152
	- event_id:5150
    - event_id:5156
    - event_id:64
2

You can use a drop_fields or drop_event processor to filter out individual message fields or complete event classes before they’re sent to Graylog:

On the Graylog side of things, you can filter messages inside your pipeline rules via drop_message() or remove individual message fields with remove_field():

3

Thank you but I am not sure where I need to add those lines in what file? Sorry for the noob question but this is my first attempt at configuring graylog.

4

The processors need to be added to the configuration file of Winlogbeat. You’ve posted the configuration of the Graylog Collector Sidecar (which in turns creates a configuration file for Winlogbeat on Windows).

See http://docs.graylog.org/en/2.4/pages/collector_sidecar.html for details about the Graylog Collector Sidecar, especially the part about configuration snippets.

5

How does the syntax work? If I add the below to a snippets, I get “Winlogbeat: Collector configuration file is not valid, waiting for the next update.”

I am adding it with name “drop” to the backend WinLogBeat

processors:
 - drop_event:
	when:
		winlogbeat_event_id
	equals:
		5152

Do I need to add to winlogbeat.yml, how is the syntax?

6

I am making some headway,

Err
Exiting: error unpacking config data: required 'object', but found 'string' in field 'processors.0.drop_event' (source:'C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml')
winlogbeat2018/03/07 19:45:18.357663 beat.go:635: CRIT Exiting: error unpacking config data: required 'object', but found 'string' in field 'processors.0.drop_event' (source:'C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml')

Added to winlogbeat.yml

processors:
    - drop_event:
        When:winlogbeat_task
        contains:"Filtering Platform Connection"
7

ok…I need some understanding please. If I do a pipeline rule like below I do not see win events in my search (expected as I am only looking at windows events right now).

rule "Figuring Stuff Out"
When
has_field(field:"winlogbeat_task")
then
drop_message();
end

If I set has_field(field:winlogbeat_task00) I get data, again expected because winlogbeat_task00 does not exist .

What I want is to drop all messages from winlogbeat_task:Filtering Platform Packet Drop

If I do I am still getting data

rule "Filtering Platform Packet Drop"
When
has_field(field:"winlogbeat_task, [message:Filtering Platform Packet Drop]")
then
drop_message();
end
8

has_field() only checks if a field exists, not what the content of that field is.

You might want to use contains() or check for equality (==).

9

This is what I came up with and appears to be working correctly

rule "Filtering Platform Packet Drop"
when 
    has_field("winlogbeat_task") && to_string($message.winlogbeat_task) == "Filtering Platform Packet Drop"
then
    drop_message();
end
10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.