Hello first… Thanks for all the help I got allready in this forum!
I have a problem with winlogbeat and event id 4624 (should be successfull logins)
When a user login and that event appears i get 4 -5 entries in my graylog… all the same but the timestamps are different lets say 00:00:100 ,00:00:102,00:00:104 and so on…
Is there any way to drop the always same event in a secound?
that is not possible with vanilla Graylog. You might want to check how this messages are ingested - maybe this multiple entries/commits can be avoided. Because it might be not the only message you got multiple times?
I just discovered that the logon events have different Ports
Now I should be able to directly drop them in my winlogbeat conf or with a pipeline rule?
winlogbeat_event_data_IpPort
Do you know if thats the right syntax
(should do "drop message if eventid=4624 and Port not 62000
rule “login success”
when
has_field(“winlogbeat_event_id”) AND
to_string($message.winlogbeat_event_id) == 4624 AND
has_field(“winlogbeat_event_data_IpPort”) AND
to_string($message.winlogbeat_event_data_IpPort) != 62000
then
drop_message();
end
this should work but I would place the compares into “” so your rule becomes:
rule “login success”
when
has_field(“winlogbeat_event_id”) AND
to_string($message.winlogbeat_event_id) == "4624" AND
has_field(“winlogbeat_event_data_IpPort”) AND
to_string($message.winlogbeat_event_data_IpPort) != "62000"
then
drop_message();
end
because you actually compare strings.
Hello Jan thanks very much !
I found out that the port is always different and so not relayable to work with
But I also researched that Windows Login event 4624 comes with different Login Types … So 2=Local (mouse/keyboard) 3 = Networkshare 10= remotesession
So I decided to just drop type 3 in my winlogbeat yaml conf and create a decorator for the values via lookup table 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.