How to filter on WinlogBeat configuration. EventID & SubjectUserSid

I am try to filter a windows log using Winlogbeat using the following parameters.
I want events to be dropped in case:
EventID = 4668
SubjectUserSid = “S-1-5-18"

I have searched everything and I do not even whether this filtering is possible using winlogbeat.
I have followed the guide from elastic but it did not help:

Define processors | Winlogbeat Reference [7.17] | Elastic

Can someone help me on that or whether is even possible?

Hello && welcome @Kyriakos

You can use a piepline to drop the messages you dont want or filter message you only want to send.
Here is an example:

the pipeline rule would look like this:

rule "test drop"
when
  
  to_string($message.winlog_event_id)                   == "4668"       &&
  to_string($message.winlog_event_data_SubjectUserSid)  == "S-1-5-18"
  
then
  //Drop the message out of processing
  drop_message();
end

image

My syntax is that but it does not work.

Any documentation on how to built pipeline rules?
Please see my syntax on responses.

Thanks,

Yes, I posted the Graylog pipeline solution. If you want it to work in the Collector Configuration it would look something like this:

   - name: Security
     processors:
       - drop_event.when:
           and:
             - equals.winlog.event_id: "4688"
             - equals.winlog.event_data.SubjectUserSid: "S-1-5-18"

On aside note it is always helpful to post proerly formatted text (with the </> tool) rather than a picture.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.