How to filter the machine name in authenticate log

Graylog Central (peer support)
1

Hello All,
I need to drop all machines names in my authenticate log, so i don’t know how filter. Can you help me please !

This config works:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog-server:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
     event_id: 4624, 4625, 4634, 4776
     processors:
     - drop_event.when.or:
       - equals.winlog.event_data.TargetUserName: 'Machine Name'
     level: critical, error, warning, information
     ignore_older: 72h

But I have enough machine, so i don’t want to write all name of machine.

Thanks!

2

Not clear what you mean by that.

The way you have it set up in general is that any message where the field TargetUserName equals 'Machine Name' the entire message is dropped and not sent to Graylog… but it’s not working? Here is a similar one (but a little more complicated) from my setup that is working:

...
   - name: Security
     processors:
       - drop_event.when:
           and:
             - equals.winlog.event_id: "7234"
             - equals.winlog.event_data.TargetUserName: "user-admin-batman"
             - regexp.winlog.event_data.ProcessName: 'university\.checkhash\.exe$'
...

Note the indentation… it must be correct…

1 Like
3

Hello !
This config works for me.
I don’t want to see the machine name in my logs with $, but i just want to see the user name in my logs.

For example:

Source:                                                                   winlogbeat_winlog_event_date_Target_UserName:
SERVER1                                                                                       kamsy
SERVER2                                                                                       KADER$

So, in this log in graylog, i want to filter in graylog to get only this without the $ sign:

Source:                                                                   winlogbeat_winlog_event_date_Target_UserName:
SERVER1                                                                                       kamsy

Thanks !

4

- regexp.winlog.event_data.TargetUserName: '\$$'

I think that will do it.

the regex '\$$' says anything that ends in a dollar sign will be dropped…

\$ - equals literal dollar sign
$ - is an anchor to the end of the string.

Again, .yml files require the correct spacing and indentation, if it’s incorrect, it will not work and will not tell you why.

1 Like
5

Thanks This works for me !

6

Mark it as a solution for future readers! :slight_smile:

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.