How to filter on winlogbeat winlog event data LogonType = 2

Dear community,

I have set up a winlogbeat sidecar to our domain controler. I filtered on the event_id, which is working fine. This morning, I added the event_id: 4624 (successfull logon).

the log is now flooded with messages. I would like to filter on 4624, but only winlogbeat_winlog_event_data_LogonType = 2.

I am struggling on the YAML-syntax. Here one of my failed tests:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
sidecarVersion: ${sidecar.sidecarVersion}
output.logstash:
   hosts: ["10.50.76.60:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
processors:
  - drop_event.when.not.or:
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4625
      - equals.winlog.event_id: 4720
      - equals.winlog.event_id: 4722
      - equals.winlog.event_id: 4723
      - equals.winlog.event_id: 4725
      - equals.winlog.event_id: 4728
      - equals.winlog.event_id: 4732
      - equals.winlog.event_id: 4756
      - equals.winlog.event_id: 4738
      - equals.winlog.event_id: 4740
      - equals.winlog.event_id: 4767
      - equals.winlog.event_id: 4735
      - equals.winlog.event_id: 4737
      - equals.winlog.event_id: 4755
      - equals.winlog.event_id: 4697
      - equals.winlog.event_id: 4946
      - equals.winlog.event_id: 4947
      - equals.winlog.event_id: 4950
      - equals.winlog.event_id: 4954
      - equals.winlog.event_id: 5025
      - equals.winlog.event_id: 5031
  - drop_event.when:
      and:
        - equals.winlog.event_id: 4624
        not:
          - equals.winlog.event_data_LogonType: 2

How do I filter for the LogonType?

Any help is very much appreciated.

Graylog version 4.2.10

Hi,
have you had a look at the Elasticsearch page for conditions?

Maybe there you can find some help.
The last snippet with “drop_event.when” looks not 100% right to me, but I’m just starting with Winlogbeat.

@shenke

thank you very much. I know that documentation, but struggle to get it right. (Be aware, that you referenced to wrong version of Elasticsearch.)

I know, that this part is wrong:

  - drop_event.when:
      and:
        - equals.winlog.event_id: 4624
        not:
          - equals.winlog.event_data_LogonType: 2

How would you filter for the two conditions combined? (including all 4624, but only, if LogonType = 2)

In addition to me not unerstanding the syntax, the field naming is unclear to me. e.g. in Graylog, the field is called " winlogbeat_winlog_event_data_LogonType". How should it be referenced in the processor?

Hello,

Just chiming in…

An event with logon type=2 occurs whenever a user logs on (or attempts to log on) a computer locally, e.g. by typing user name and password on Windows logon prompt. Events with logon type = 2 occur when a user logs on with a local or a domain account. However, if a user logs on with a domain account, this logon type will appear only when a user really authenticated in the domain. This is in which Windows creates EventID 4624. With that been said, and you need to drop message with that field called
winlogbeat_winlog_event_data_LogonType

Perhaps a Pipeline like this

rule "Remove Message"
when
    $message.LogonType = "2" AND
	$message.EventID = "4624"
then
     drop_message();
end

EDIT:

This might work.

winlogbeat:
  event_logs:
    - name: Security
    - name: System 
      event_id: 5827, 5828, 5829, 5830, 4624
  processors:
   - drop_event:
       when:
         equals:
 	   LogonType: 2

Hi @gsmith

Thank you very much for your input and please take my appologies for not beeing clear enough.
I would like to get from the winlogbeat all events with the above mentioned IDs. (4624, 4625, 4720, 4722, 4723, …). For the event_id: 4624, I only want to keep those messages, where the LogonType equals “2”. All ohter messages with event_id: 4624 and any other LogonType then “2” should be disregarded → not saved in the index.

Until now, I did not stumble accross the concept of pipelines. Do I understand this right:

  1. Messages are comming from an Input or Sidecar
  2. the messages are then going into a Stream
  3. Piplines process the output of a stream, before messages are written into the index.

What is best practice: ommitting the messages in the sidecar or dropping them in the pipeline?

EDIT:
Our Elasticsearch version is 7.10.2. Here are the fields provided by winlogbeat: Winlogbeat fields | Winlogbeat Reference [7.10] | Elastic.
Then I had a look at the processing-syntax - again - and came up with this YAML, but the drop-part does not work. Any ideas?

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
sidecarVersion: ${sidecar.sidecarVersion}
output.logstash:
   hosts: ["10.50.76.60:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
     event_id: 4624, 4625, 4720, 4722, 4723, 4725, 4728, 4732, 4756, 4738, 4740, 4767, 4735, 4737, 4755, 4697, 4946, 4947, 4950, 4954, 5025, 5031
  processors:
   - drop_event:
       when:
         and:
           - equals.winlog.event_id: 4624
           - not.equals.winlog.event_data.LogonType: 2

Hello @schneich

I understand now, and yeah I would use a pipeline for that. Before I roll into it I’ll answer your other questions.

To sum these question up.

GL sidecar is a wrapper for Nxlog, Winlogbeat, & FileBeat. GL sidecar is the man in the middle for Graylog Server and Client. The shippers are what I just stated above. The flow would be something like this.

Log Shipper ( WinlogBeat) ---> INPUT ( Beats) ---> Stream ( All Messages) --> Index ( Default) 

As for the winlogbeat.yml file take a look at this site here. It might help.

As for the Winlogbeat configurations, I think it should work but keep in mind its a YAML file I would double check of indents, etc… are correct.

Working with Winlogbeat @tmacgbay might be able to identify errors with this configuration. I’m more of a Nxlog type of guy :slight_smile:

Hi @gsmith,

thank you for your input. As I am on holiday as of today, I will follow up on this in two weeks. :slight_smile:

I do have one question: when using pipelines, are those applied on data going into the stream, or on data coming out of the stream? If I do a search, will I see the ommited data or are searches/dashboards based on data on the index?

Thank you very much for your help. It is very much appreciated!

To the stream, you can re-configure the message or drop the message from there. After pipeline is completed it indexes the message with the proper fields and/or configuration you want.
All messages arrive in the stream called “All Messages” and it branches out from there.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.