Windows Event (Winlogbeat) Exclude User

Graylog Central (peer support)
,
1

Hi there,
Hope everyone is doing fine.
So i have an issue and i can´t get it to work.

At some time in my Active Directory, network administrator add an user for management and secuirty, and the this user is creating many windows events that i don´t need to in the graylog.
I just need to graylog to stop processing the events from that especified user, but i can get it to work.
I use a stream for Audit Events from the Domain Controllers and the rules are simple for only that sources.
I tried, change the config in the Winlogbeat but i thing i missing something.
Tried Pipelines with the “winlogbeat.event_data_TargetUserName equals “username””
Tried add new role to stream but no luck since i don´t have “or” or “and” to chose.

Whats is best solution?
Thank you
And Best Regards.
Luís Costa

2

You can use Winlogbeat processing to drop the event based username (Start Research Here)

Or if you post your (genericised and nicely formatted with the forum tools) pipeline code for dropping the messages maybe we could help with a little more detail.

3

Hi there tmacgbay,
Offcourse:
Here the winlogbeat that i tried:

winlogbeat

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["myserver:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
    - name: Security
    - name: System 
      event_id: 5827, 5828, 5829, 5830, 4625
  processors:
   - drop_event:
       when:
         equals:
 	   user.name: sa-network-adm

Pipeline try:

rule "function remove user"
    when 
       contains(to_string($message.winlogbeat_event_data_TargetUserName), "sa-network-adm", true)
    then
        drop_message();
    end
4

Use formatting tools. image
In particular this one for code
image

because right now your code for either winlogbeat or for the pipeline definitely will not work as posted.

Also, post the entire winlogbeat code - genericize where needed

NOTE: Formatting and in particular indentation with winlogbeat code makes a difference.

5

Posted. Sorry i haven´t use the codding format in this forum … frist time ahahah

6 
  processors:
    - drop event:
        when: 
        contains:
            user.name: sa-network-adm

Did work with this format…
Thks
Resolved :smiley:

1 Like
7

Great! The indentation thing catches people a LOT - I had not used processors in winlogbeat either so it’s good to know that contains: works. It’s definitely better to stop the heavy volume before it gets to Graylog - be sure to narrow the scope enough so you don’t miss any important events that sa-network-adm gets into… :slight_smile:

for the pipeline (had you done it that way) it would be simpler to put:

to_string($message.winlogbeat_event_data_TargetUserName) == "sa-network-adm"

2 Likes
8

So did some changes and works better within the “name” of the log.`
Also notice that some of the events will passtruth because the username field in the event was null.
After some research the following code work just fine and no events pass so far:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["myserver:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
    - name: Security
      processors:
         - drop_event:
                 when:
                  contains:
                      event_data.TargetUserName: sa-network-adm
    - name: System 
      event_id: 5827, 5828, 5829, 5830, 4625

Thank you for the rapid replys to my post. Best Regards @tmacgbay

3 Likes
9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.