Sidecar configuration to filter event data for SubjectUserName - Windows

quinniedid · July 21, 2021, 4:52pm

I decided to move a slightly different direct with the configuration as it works as expected. Finally got it to work with this config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog.ad.example.com:514"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     level: critical, error, warning
     ignore_older: 72h
   - name: System
     level: critical, error, warning
     ignore_older: 72h
   - name: Security
     processors:
     - drop_event.when.or:
       - equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
     level: critical, error, warning, information
     ignore_older: 72h

Topic		Replies	Views
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3701	December 16, 2019
Drop events using the sidecar collector Graylog Central (peer support) sidecar , windows , winlogbeat	18	2597	April 12, 2022
Windows Event (Winlogbeat) Exclude User Graylog Central (peer support) sidecar , winlogbeat	8	2229	March 16, 2021
Drop event_id how to Graylog Central (peer support) sidecar , winlogbeat	9	8523	March 22, 2018
Sidecar + WinLogBeat: Problem with JSON? Graylog Central (peer support) sidecar , winlogbeat	1	872	August 3, 2017

Sidecar configuration to filter event data for SubjectUserName - Windows

Related topics