Another Drop Event

Elastic Stack Beats
1

Winlogbeat 7.6.1. Really easy drop 2 events is failing. I get hundreds of thousands of these events a day. They consist of 95% of the winlog traffic that is sent to the elastic stack.

Copy/Paste which from other threads and nothing. Changing drop to when only does nothing. Here is the the example setup I have on a few machines and nothing.

  - name: Security
    processors:
    - drop_event:
        when:
          and:
            - or:
              - equals.winlog.event_id: 5156
              - equals.winlog.event_id: 5157

    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

I've checked both the sysmom for the event ID's and they are not present. Events are still being sent to Elastic and it's only coming from the security event log.

Any tips to get these things dropped would be amazing.

2

You cannot have more than one processors block in the same object. The last one will take precedence. You can try a few things to see this. Paste your config into http://www.yamllint.com/. Or run .\winlogbeat.exe export config.

  - name: Security
    processors:
    - drop_event:
        when.or:
          - equals.winlog.event_id: 5156
          - equals.winlog.event_id: 5157

    - script:
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js

Or try this (untested) using event_id:

  - name: Security
    event_id: -5156, -5157
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
4

Hello,
I try to drop the following event without success
winlog.event_data.LogonType: "3"
Could you please help?

`indent preformatted text by 4 spaces`
- name: Security
   ignore_older: 24h
   event_id: 4624, 4625, 7045, 4758, 4743, 4734, 4730, 4726, 4648, 4776, 4768, 1102, 106, 4662, 
4728, 4729, 4672, 4767, 4740
processors:
    - drop_event.when:
        and:
        - equals.event_id: 4624
        - equals.winlog.event_data.LogonType: "3"'
5

@kubekpk Please start a new thread for a new question.

6

Thank you Sir.

First one failed. That's one way I tested as you have it posted on a few other responses.

Second one is a success. A simple minus and it worked as expected.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.