Another Drop Event

PublicName · May 4, 2020, 7:31pm

Winlogbeat 7.6.1. Really easy drop 2 events is failing. I get hundreds of thousands of these events a day. They consist of 95% of the winlog traffic that is sent to the elastic stack.

Copy/Paste which from other threads and nothing. Changing drop to when only does nothing. Here is the the example setup I have on a few machines and nothing.

  - name: Security
    processors:
    - drop_event:
        when:
          and:
            - or:
              - equals.winlog.event_id: 5156
              - equals.winlog.event_id: 5157

    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

I've checked both the sysmom for the event ID's and they are not present. Events are still being sent to Elastic and it's only coming from the security event log.

Any tips to get these things dropped would be amazing.

andrewkroh · May 7, 2020, 2:23pm

You cannot have more than one processors block in the same object. The last one will take precedence. You can try a few things to see this. Paste your config into http://www.yamllint.com/. Or run .\winlogbeat.exe export config.

  - name: Security
    processors:
    - drop_event:
        when.or:
          - equals.winlog.event_id: 5156
          - equals.winlog.event_id: 5157

    - script:
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js

Or try this (untested) using event_id:

  - name: Security
    event_id: -5156, -5157
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

kubekpk · May 8, 2020, 7:39am

Hello,
I try to drop the following event without success
winlog.event_data.LogonType: "3"
Could you please help?

`indent preformatted text by 4 spaces`
- name: Security
   ignore_older: 24h
   event_id: 4624, 4625, 7045, 4758, 4743, 4734, 4730, 4726, 4648, 4776, 4768, 1102, 106, 4662, 
4728, 4729, 4672, 4767, 4740
processors:
    - drop_event.when:
        and:
        - equals.event_id: 4624
        - equals.winlog.event_data.LogonType: "3"'

andrewkroh · May 8, 2020, 8:47pm

@kubekpk Please start a new thread for a new question.

PublicName · May 11, 2020, 5:18pm

Thank you Sir.

First one failed. That's one way I tested as you have it posted on a few other responses.

Second one is a success. A simple minus and it worked as expected.

Topic		Replies	Views
Winlogbeat doesn't drop events Beats winlogbeat	5	660	June 7, 2023
Winlogbeat - multiple event_id's and processor drop_events Beats winlogbeat	2	219	May 28, 2024
Unable to drop events Beats winlogbeat	6	1049	June 28, 2018
Drop_event syntax trouble with multiple processors (7.7.1) Beats winlogbeat	5	447	July 23, 2021
Two different drop_events not dropping events Beats winlogbeat	1	473	June 11, 2019

Another Drop Event

Related topics