I am try to filter a windows log using Winlogbeat using the following parameters.
I want events to be dropped in case:
EventID = 4668
SubjectUserSid = “S-1-5-18"
I have searched everything and I do not even whether this filtering is possible using winlogbeat.
I have followed the guide from elastic but it did not help:
Define processors | Winlogbeat Reference [7.17] | Elastic
Can someone help me on that or whether is even possible?
Hello && welcome @Kyriakos
You can use a piepline to drop the messages you dont want or filter message you only want to send.
Here is an example:
the pipeline rule would look like this:
rule "test drop"
when
to_string($message.winlog_event_id) == "4668" &&
to_string($message.winlog_event_data_SubjectUserSid) == "S-1-5-18"
then
//Drop the message out of processing
drop_message();
end
My syntax is that but it does not work.
Any documentation on how to built pipeline rules?
Please see my syntax on responses.
Thanks,
Yes, I posted the Graylog pipeline solution. If you want it to work in the Collector Configuration it would look something like this:
- name: Security
processors:
- drop_event.when:
and:
- equals.winlog.event_id: "4688"
- equals.winlog.event_data.SubjectUserSid: "S-1-5-18"
On aside note it is always helpful to post proerly formatted text (with the </> tool) rather than a picture.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.