Dear community,
I have set up a winlogbeat sidecar to our domain controler. I filtered on the event_id, which is working fine. This morning, I added the event_id: 4624 (successfull logon).
the log is now flooded with messages. I would like to filter on 4624, but only winlogbeat_winlog_event_data_LogonType = 2.
I am struggling on the YAML-syntax. Here one of my failed tests:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
sidecarVersion: ${sidecar.sidecarVersion}
output.logstash:
hosts: ["10.50.76.60:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
- name: System
- name: Security
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4625
- equals.winlog.event_id: 4720
- equals.winlog.event_id: 4722
- equals.winlog.event_id: 4723
- equals.winlog.event_id: 4725
- equals.winlog.event_id: 4728
- equals.winlog.event_id: 4732
- equals.winlog.event_id: 4756
- equals.winlog.event_id: 4738
- equals.winlog.event_id: 4740
- equals.winlog.event_id: 4767
- equals.winlog.event_id: 4735
- equals.winlog.event_id: 4737
- equals.winlog.event_id: 4755
- equals.winlog.event_id: 4697
- equals.winlog.event_id: 4946
- equals.winlog.event_id: 4947
- equals.winlog.event_id: 4950
- equals.winlog.event_id: 4954
- equals.winlog.event_id: 5025
- equals.winlog.event_id: 5031
- drop_event.when:
and:
- equals.winlog.event_id: 4624
not:
- equals.winlog.event_data_LogonType: 2
How do I filter for the LogonType?
Any help is very much appreciated.
Graylog version 4.2.10