How to filter on winlogbeat winlog event data LogonType = 2

schneich · July 21, 2022, 10:49am

Dear community,

I have set up a winlogbeat sidecar to our domain controler. I filtered on the event_id, which is working fine. This morning, I added the event_id: 4624 (successfull logon).

the log is now flooded with messages. I would like to filter on 4624, but only winlogbeat_winlog_event_data_LogonType = 2.

I am struggling on the YAML-syntax. Here one of my failed tests:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
sidecarVersion: ${sidecar.sidecarVersion}
output.logstash:
   hosts: ["10.50.76.60:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
processors:
  - drop_event.when.not.or:
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4625
      - equals.winlog.event_id: 4720
      - equals.winlog.event_id: 4722
      - equals.winlog.event_id: 4723
      - equals.winlog.event_id: 4725
      - equals.winlog.event_id: 4728
      - equals.winlog.event_id: 4732
      - equals.winlog.event_id: 4756
      - equals.winlog.event_id: 4738
      - equals.winlog.event_id: 4740
      - equals.winlog.event_id: 4767
      - equals.winlog.event_id: 4735
      - equals.winlog.event_id: 4737
      - equals.winlog.event_id: 4755
      - equals.winlog.event_id: 4697
      - equals.winlog.event_id: 4946
      - equals.winlog.event_id: 4947
      - equals.winlog.event_id: 4950
      - equals.winlog.event_id: 4954
      - equals.winlog.event_id: 5025
      - equals.winlog.event_id: 5031
  - drop_event.when:
      and:
        - equals.winlog.event_id: 4624
        not:
          - equals.winlog.event_data_LogonType: 2

How do I filter for the LogonType?

Any help is very much appreciated.

Graylog version 4.2.10

shenke · July 21, 2022, 1:49pm

Hi,
have you had a look at the Elasticsearch page for conditions?

Maybe there you can find some help.
The last snippet with “drop_event.when” looks not 100% right to me, but I’m just starting with Winlogbeat.

schneich · July 21, 2022, 3:00pm

@shenke

thank you very much. I know that documentation, but struggle to get it right. (Be aware, that you referenced to wrong version of Elasticsearch.)

I know, that this part is wrong:

  - drop_event.when:
      and:
        - equals.winlog.event_id: 4624
        not:
          - equals.winlog.event_data_LogonType: 2

How would you filter for the two conditions combined? (including all 4624, but only, if LogonType = 2)

In addition to me not unerstanding the syntax, the field naming is unclear to me. e.g. in Graylog, the field is called " winlogbeat_winlog_event_data_LogonType". How should it be referenced in the processor?

gsmith · July 21, 2022, 11:02pm

Hello,

Just chiming in…

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account. However, if a user logs on with a domain account, this logon type will appear only when a user really authenticated in the domain. This is in which Windows creates EventID 4624. With that been said, and you need to drop message with that field called
winlogbeat_winlog_event_data_LogonType

Perhaps a Pipeline like this

rule "Remove Message"
when
    $message.LogonType = "2" AND
	$message.EventID = "4624"
then
     drop_message();
end

EDIT:

This might work.

winlogbeat:
  event_logs:
    - name: Security
    - name: System 
      event_id: 5827, 5828, 5829, 5830, 4624
  processors:
   - drop_event:
       when:
         equals:
 	   LogonType: 2

schneich · July 22, 2022, 6:06am

Hi @gsmith

Thank you very much for your input and please take my appologies for not beeing clear enough.
I would like to get from the winlogbeat all events with the above mentioned IDs. (4624, 4625, 4720, 4722, 4723, …). For the event_id: 4624, I only want to keep those messages, where the LogonType equals “2”. All ohter messages with event_id: 4624 and any other LogonType then “2” should be disregarded → not saved in the index.

Until now, I did not stumble accross the concept of pipelines. Do I understand this right:

Messages are comming from an Input or Sidecar
the messages are then going into a Stream
Piplines process the output of a stream, before messages are written into the index.

What is best practice: ommitting the messages in the sidecar or dropping them in the pipeline?

EDIT:
Our Elasticsearch version is 7.10.2. Here are the fields provided by winlogbeat: Winlogbeat fields | Winlogbeat Reference [7.10] | Elastic.
Then I had a look at the processing-syntax - again - and came up with this YAML, but the drop-part does not work. Any ideas?

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
sidecarVersion: ${sidecar.sidecarVersion}
output.logstash:
   hosts: ["10.50.76.60:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
     event_id: 4624, 4625, 4720, 4722, 4723, 4725, 4728, 4732, 4756, 4738, 4740, 4767, 4735, 4737, 4755, 4697, 4946, 4947, 4950, 4954, 5025, 5031
  processors:
   - drop_event:
       when:
         and:
           - equals.winlog.event_id: 4624
           - not.equals.winlog.event_data.LogonType: 2

gsmith · July 22, 2022, 9:40pm

Hello @schneich

I understand now, and yeah I would use a pipeline for that. Before I roll into it I’ll answer your other questions.

To sum these question up.

GL sidecar is a wrapper for Nxlog, Winlogbeat, & FileBeat. GL sidecar is the man in the middle for Graylog Server and Client. The shippers are what I just stated above. The flow would be something like this.

Log Shipper ( WinlogBeat) ---> INPUT ( Beats) ---> Stream ( All Messages) --> Index ( Default)

As for the winlogbeat.yml file take a look at this site here. It might help.

As for the Winlogbeat configurations, I think it should work but keep in mind its a YAML file I would double check of indents, etc… are correct.

Working with Winlogbeat @tmacgbay might be able to identify errors with this configuration. I’m more of a Nxlog type of guy

schneich · July 23, 2022, 2:23pm

Hi @gsmith,

thank you for your input. As I am on holiday as of today, I will follow up on this in two weeks.

I do have one question: when using pipelines, are those applied on data going into the stream, or on data coming out of the stream? If I do a search, will I see the ommited data or are searches/dashboards based on data on the index?

Thank you very much for your help. It is very much appreciated!

gsmith · July 26, 2022, 12:51am

To the stream, you can re-configure the message or drop the message from there. After pipeline is completed it indexes the message with the proper fields and/or configuration you want.
All messages arrive in the stream called “All Messages” and it branches out from there.

system · August 9, 2022, 12:51am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtering Windows logs on input Graylog Central (peer support) sidecar , winlogbeat	2	1785	September 1, 2017
Winlogbeats, filtering event ids to send to graylog server Graylog Central (peer support)	4	1099	February 22, 2023
Filtering Windows eventlog from graylog collector Graylog Central (peer support) sidecar , winlogbeat	2	3395	October 9, 2017
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8582	March 22, 2018
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3813	December 16, 2019

How to filter on winlogbeat winlog event data LogonType = 2

Related topics