Filtering Windows logs on input

kstanki · August 18, 2017, 3:59pm

I’m using Graylog to collect windows logon events from servers. I would like to only collect events with certain Logon Types because otherwise I collect many GBs of useless noise.

I’m using winlogbeat, I’ve tried filtering on beats input like this:

[{‘event_id’:‘4625’,‘name’:‘Security’},{‘event_id’:‘4624’,‘name’:‘Security’,‘event_data.LogonType’:‘10’}]

which produces this:

winlogbeat:
event_logs:

event_id: "4625"
name: Security
event_data.LogonType: "10"
event_id: "4624"
name: Security

But the event_data.LogonType line breaks it. I’ve also tried event_data_LogonType. Is there a way to do this?

kstanki · August 18, 2017, 6:12pm

So I think it needs to be done with ‘processors’ right? I tried this in winlogbeat.yml (as a snippet) and it has no effect:

processors:

drop_event.when:
and:
- equals.event_data.LogonType: “3”
- equals.event_id: “4624”

tried with/without quotation marks, etc.

system · September 1, 2017, 6:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter on winlogbeat winlog event data LogonType = 2 Graylog Central (peer support) winlogbeat	8	4249	August 9, 2022
More Windows Event logs than what I need Graylog Central (peer support) sidecar , winlogbeat	4	3079	August 15, 2017
Filtering Windows eventlog from graylog collector Graylog Central (peer support) sidecar , winlogbeat	2	3330	October 9, 2017
Deleting event logs before Elasticsearch Graylog Central (peer support) sidecar , winlogbeat	4	1169	April 29, 2019
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8523	March 22, 2018

Filtering Windows logs on input

Related topics