Another Drop Event

PublicName · May 4, 2020, 7:31pm

Winlogbeat 7.6.1. Really easy drop 2 events is failing. I get hundreds of thousands of these events a day. They consist of 95% of the winlog traffic that is sent to the elastic stack.

Copy/Paste which from other threads and nothing. Changing drop to when only does nothing. Here is the the example setup I have on a few machines and nothing.

  - name: Security
    processors:
    - drop_event:
        when:
          and:
            - or:
              - equals.winlog.event_id: 5156
              - equals.winlog.event_id: 5157

    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

I've checked both the sysmom for the event ID's and they are not present. Events are still being sent to Elastic and it's only coming from the security event log.

Any tips to get these things dropped would be amazing.

andrewkroh · May 7, 2020, 2:23pm

You cannot have more than one processors block in the same object. The last one will take precedence. You can try a few things to see this. Paste your config into http://www.yamllint.com/. Or run .\winlogbeat.exe export config.

  - name: Security
    processors:
    - drop_event:
        when.or:
          - equals.winlog.event_id: 5156
          - equals.winlog.event_id: 5157

    - script:
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js

Or try this (untested) using event_id:

  - name: Security
    event_id: -5156, -5157
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

kubekpk · May 8, 2020, 7:39am

Hello,
I try to drop the following event without success
winlog.event_data.LogonType: "3"
Could you please help?

`indent preformatted text by 4 spaces`
- name: Security
   ignore_older: 24h
   event_id: 4624, 4625, 7045, 4758, 4743, 4734, 4730, 4726, 4648, 4776, 4768, 1102, 106, 4662, 
4728, 4729, 4672, 4767, 4740
processors:
    - drop_event.when:
        and:
        - equals.event_id: 4624
        - equals.winlog.event_data.LogonType: "3"'

andrewkroh · May 8, 2020, 8:47pm

@kubekpk Please start a new thread for a new question.

PublicName · May 11, 2020, 5:18pm

Thank you Sir.

First one failed. That's one way I tested as you have it posted on a few other responses.

Second one is a success. A simple minus and it worked as expected.

system · June 8, 2020, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop_event.when.not.or: - not working, Please help Beats winlogbeat	2	549	February 12, 2020
Winlogbeat doesn't drop events Beats winlogbeat	5	532	June 7, 2023
Winlogbeat - multiple event_id's and processor drop_events Beats winlogbeat	2	133	May 28, 2024
Winlogbeat Drop Event Processor No Longer Working After Update to v8 Beats winlogbeat	1	301	August 3, 2022
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	803	April 29, 2021

Another Drop Event

Related Topics