Removing some messages from winlogbeat inputs

Hi, everyone I have some issues on removing some messages from winlogbeat’s input stream. As everybody knows there are 2 type of logons (computer and user) into system so while monitoring Active Directory winlogbeat sends both of them but i want to see only user logins and send them to my telegram channel for monitoring.
Thanks for help

You could consider a pipeline rule that drops te messages you don’t want.

Something like this:

rule "skip messages with loglevel DEBUG"
when 
 to_string($message.loglevel) == "DEBUG"
then 
 drop_message();
end

or this:

rule "skip messages when regex <*> matches"
when
   regex("(?=<)(.*)(?>)", to_string($message.message)).matches == true
then
  drop_message();
end
1 Like

You cloud do that with a regex, it looks like you want to drop the Impersonation messages.

Could you please help to me with writing this i have tried examples ( with contain) they did not work


I have researched a lot and found that special characters is not readable for elasticsearch tokenizers that is why pipeline will not drop messages because elasticsearch can not read $ this symbol.
Could you please help me to filter only user logins for winlogbeat inputs. I want to drop computer log on messages .
Thanks for attention!

This has nothing to do with elasticsearch, this is all about a good working regex rulein a pipeline and if you want executed on a field, fields already exist in the pipeline process, but after the last rule is applied to your data, then is is written to elasticsearch.

You can work on your regex here and try it in Graylog:

If you have messages you don’t want, it can be more efficient to set winlogbeats not to send them. So for instance, here is a windows filebeat configuration that would drop (exclude_lines) commented lines and not send them in to Graylog:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: ["${Input.area}"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winfilebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, iis
filebeat:
  inputs:
    - type: log
      enabled: true
      # include_lines: ['example', 'Turf', 'stuff'] #Commented out... for now
      exclude_lines: ['^#'] # --exclude anything that starts with #

      paths:
        - R:\IIS_LogStorage\*.log

But lets say you want to drop events based on windows eventID. Lets say you were tracking printing and you wanted to ignore log eventIDs that weren’t relevant because only eventID 307 (when printing) gives you what you want… you might do something like this:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["${Input.area}"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
logging.metrics.enabled: false
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security
 
# Pickup on print jobs but not the rest of the malarky - we only want event 307
   - name: Microsoft-Windows-PrintService/Operational
     processors:
       - drop_event.when:
           or:
             - equals.winlog.event_id: "801"
             - equals.winlog.event_id: "800"
             - equals.winlog.event_id: "805"
             - equals.winlog.event_id: "842"
1 Like

Thanks for response tmacgbay!
I dont want to drop them I want to capture but when sending notifications to the telegram channel I want to see only user logins

Hello,

Just chiming in.

How did you setup your notification?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.