Winlogbeat drop_event.when.not.or: not working - Sidecar Version 1.5, Graylog 5.2

bavarian · November 21, 2023, 7:28am

Hello @gsmith , there were not errors or warnings.
I tried around and it works now, but seems strange as it is nowhere documented.

For sidecar Version 1.4 (Winlogbeat 7.11.1) to use drop_event.when.not.or:

- equals.winlog.event_id: 4616
- equals.winlog.event_id: 4624

For sidecar Version 1.5 (Winlogbeat 8.9.0), I nedd to put the windows event id into qoutes.

- equals.winlog.event_id: "4616"
- equals.winlog.event_id: "4624"

Both methods are not working for the other one around. Does anyone else experienced this?

Topic		Replies	Views
Graylog Sidecar Winlogbeat Drop Event New to Graylog Community? READ-ME FIRST Guides sidecar , windows , winlogbeat	1	95	March 27, 2024
Help with Winlogbeat config Graylog Central (peer support) sidecar , winlogbeat	3	3549	December 16, 2019
Winlogbeat "publishes" fine but specific events aren't seen in Graylog Graylog Central (peer support) sidecar , winlogbeat	1	982	April 13, 2021
Windows events to graylog server Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	3	4605	December 27, 2018
New Graylog Sidecar Running But Not Sending Data Graylog Central (peer support) sidecar , winlogbeat	2	1435	July 29, 2019