Filtering Windows logs on input

I’m using Graylog to collect windows logon events from servers. I would like to only collect events with certain Logon Types because otherwise I collect many GBs of useless noise.

I’m using winlogbeat, I’ve tried filtering on beats input like this:


which produces this:


  • event_id: "4625"
    name: Security
  • event_data.LogonType: "10"
    event_id: "4624"
    name: Security

But the event_data.LogonType line breaks it. I’ve also tried event_data_LogonType. Is there a way to do this?

So I think it needs to be done with ‘processors’ right? I tried this in winlogbeat.yml (as a snippet) and it has no effect:


  • drop_event.when:
    - equals.event_data.LogonType: “3”
    - equals.event_id: “4624”

tried with/without quotation marks, etc.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.