Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I’m sending Windows event logs to Graylog using Sidecar and Winlogbeat. There are some repetitive events that I’d like to drop and not send at all to Graylog. The problem is I can’t find a combination that works in the Winlogbeat config file that will drop the events. I’ve searched and searched and have found many combinations, but nothing actually drops the event.
2. Describe your environment:
-
OS Information: RHEL 9.6
-
Package Version: 6.3.2
-
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
Here is the XML from the event I’m trying to drop. Note, I don’t want to always drop event 3004, I just want to drop event 3004 when either the message or FileNameBuffer contain ScriptControl64_19907.dll.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" />
<EventID>3004</EventID>
<Version>1</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>104</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2025-08-25T12:40:27.0776467Z" />
<EventRecordID>170406</EventRecordID>
<Correlation ActivityID="{561ea484-0abb-0004-7c87-c159bb0adc01}" />
<Execution ProcessID="9060" ThreadID="44596" />
<Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel>
<Computer>ComputerName</Computer>
<Security UserID="S-1-5-20" />
</System>
- <EventData>
<Data Name="FileNameLength">66</Data>
<Data Name="FileNameBuffer">\Device\HarddiskVolume4\Windows\System32\ScriptControl64_19907.dll</Data>
<Data Name="SecureRequired">0x80000000</Data>
<Data Name="RequestedSigningLevel">12</Data>
<Data Name="ProcessNameLength">52</Data>
<Data Name="ProcessNameBuffer">\Device\HarddiskVolume4\Windows\System32\svchost.exe</Data>
</EventData>
</Event>
Here is the config I’m currently trying that does not work.
output.logstash:
hosts: ["graylog.fqdn:5044"]
path:
data: C:\Program Files\Graylog\sidecar\generated\689364b29491b03703d458c8\data
logs: C:\Program Files\Graylog\sidecar\generated\689364b29491b03703d458c8\logs
logging:
level: debug
to_files: true
files:
path: C:\temp
name: winlogbeat
tags:
- windows
winlogbeat:
event_logs:
- name: Application
ignore_older: 24h
- name: System
ignore_older: 24h
level: critical, error, warning
- name: Security
ignore_older: 24h
level: information
- name: Microsoft-Windows-LAPS/Operational
ignore_older: 24h
event_id: 10018, 10029, 10020, 10031, 10041, 10043, 10044
- name: Microsoft-Windows-CodeIntegrity/Operational
ignore_older: 24h
processors:
- drop_event.when.and:
- equals.winlog.event_id: 3004
- regexp.winlog.event_data.FileNameBuffer: '\bScriptControl64_19907\.dll\b'
4. How can the community help?
I need some help sending me in the correct direction to be able to drop events using Winlogbeat.
Here are some of the posts I’ve used.
Logstash-conf/winlogbeat_example.yml at master · langitio/Logstash-conf · GitHub
Drop events | Winlogbeat Reference [8.9] | Elastic
Thank you!
Jim