Filtering Windows eventlog from graylog collector

macko003 · September 18, 2017, 11:32am

I have find some closed topic with releated problems, but noone contain solution or it doesn’t help me.

So I would like to exclude some event_id from servers.
I use graylog-sidecar with WinLogBeat.
I started with these examples:
https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html

I have tried:

[{'ignore_older': '1h','name':'Application'},{'ignore_older': '1h','name':'System'},{'ignore_older': '1h','name':'Security','event_id':'-4634,-4624,-4648'}]

or

[{'ignore_older': '1h','name':'Application'},{'ignore_older': '1h','name':'System'},{'ignore_older': '1h','name':'Security','event_id':'4688'}]

But I get all messages from the server Security log.
The generated conf on the server side:

...
winlogbeat:
  event_logs:
  - ignore_older: 1h
    name: Application
  - ignore_older: 1h
    name: System
  - event_id: -4634,-4624,-4648
    ignore_older: 1h
    name: Security
...

I also tried to put the following line to the snippets part, without success.

processors:
  drop_event.when.and:
    equals.log_name: Security 
    or: 
        equals.event_id: 4634
        equals.event_id: 4648
        equals.event_id: 4624

I got this line in the config:

output:
  logstash:
    hosts:
    - 10.XX.XX.XX:5044
shipper:
  tags:
  - XX
winlogbeat:
  event_logs:
  - ignore_older: 1h
    name: Application
  - ignore_older: 1h
    name: System
  - ignore_older: 1h
    name: Security
winlogbeat:
  registry_file: C:/Program Files/graylog/collector-sidecar/.winlogbeat.yml
logging:
  to_files: true
  files:
    path: C:/Program Files/graylog/collector-sidecar
    rotateeverybytes: 10485760 
  level: info
processors:
  drop_event.when.and:
    equals.log_name: Security 
    or: 
      equals.event_id: 4634
      equals.event_id: 4648
      equals.event_id: 4624

I also tried to add "- " before the line, but nothing changed, I can’t filter the logs.
Anyone, any idea?

macko003 · September 25, 2017, 2:45pm

I did a lot research.
The elastic guide contains the winlogbeat 5.6 config, and the graylog sidecar contains winlogbeat 1.2.3 version, so It doesn’t recognise the event_id parameter. The official 1.2 documentation doesn’t mention event_id filtering.
I tried to change the winlogbeat.exe file to a fresh one, but it can’t process the config file, because it contains the shipper part. I need only remove the shipper, reformat the yml, and it works file, if I start manually, but the graylog or sidecar puts the shipper part.

So my questions left:

Can I remove shipper from the generated config? In this case, I can change the .exe on the client side.
Have I any other chance to filter the log lines based event_id on the client side?
Are there any other solution to don’t store the logs on the server side based on winlogbeat_event_id and tag/source field?

system · October 9, 2017, 2:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8255	March 22, 2018
Windows Event (Winlogbeat) Exclude User Graylog Central (peer support) sidecar , winlogbeat	8	2041	March 16, 2021
How to filter on winlogbeat winlog event data LogonType = 2 Graylog Central (peer support) winlogbeat	8	3685	August 9, 2022
Sidecar + WinLogBeat: Problem with JSON? Graylog Central (peer support) sidecar , winlogbeat	1	835	August 3, 2017
Winlogbeats, filtering event ids to send to graylog server Graylog Central (peer support)	4	452	February 22, 2023

Filtering Windows eventlog from graylog collector

Related Topics