Hi,
I’m new to the Graylog community and I’m hoping you can help me with my request. I’m having an issue where some Event IDs are being sent in very large numbers, including Event ID 4658. This is causing my hard drive to fill up quickly. I need to prevent Event ID 4658 from being sent to the Graylog server. I have Graylog Sidecar Installer version 1.5.0-1 installed and I need detailed steps. Thank you
I actually found the solution and I’d like to share it with you
rule “Drop Event ID rule”
when
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “4658”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “5156”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “4656”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “4690”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “5158”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “5145”
)
OR
contains(
value: to_string($message.“winlogbeat_event_code”),
search: “4663”
)
then
drop_message();
end
2 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.