Filtering Windows logs on input


(Kstanki) #1

I’m using Graylog to collect windows logon events from servers. I would like to only collect events with certain Logon Types because otherwise I collect many GBs of useless noise.

I’m using winlogbeat, I’ve tried filtering on beats input like this:

[{‘event_id’:‘4625’,‘name’:‘Security’},{‘event_id’:‘4624’,‘name’:‘Security’,‘event_data.LogonType’:‘10’}]

which produces this:

winlogbeat:
event_logs:

  • event_id: "4625"
    name: Security
  • event_data.LogonType: "10"
    event_id: "4624"
    name: Security

But the event_data.LogonType line breaks it. I’ve also tried event_data_LogonType. Is there a way to do this?


(Kstanki) #2

So I think it needs to be done with ‘processors’ right? I tried this in winlogbeat.yml (as a snippet) and it has no effect:

processors:

  • drop_event.when:
    and:
    - equals.event_data.LogonType: “3”
    - equals.event_id: “4624”

tried with/without quotation marks, etc.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.