Hey guys,
I'm a bit new to elastic so I can hope a 'specialist' can help me out here.
I am trying to filter out some security log records from our Exchange servers and it does not seem to be working. The config is tested and it seems to be okay.
I am trying to filter as much as possible on the client side to make the forwarding of events to the elastic cluster efficient. We currently do not have logstash implemented.
As far as I know, this is currently not a requirement as winlogbeat already sends it in the correct format to the cluster.
Can you help me out and point me in the right direction?
Any input is appreciated!
winlogbeat.yml:
...
- name: Security
ignore_older: 24h
event_id: 1100, 1102, 4624, 4625, 4634, 4648, 4657, 4697, 4700-4800, 4946, 4947, 4950, 5025
processors:
- drop_event.when.and:
- equals.event_id: 4634
- contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
- drop_event.when.and:
- equals.event_id: 4624
- contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
- drop_event.when.and:
- equals.event_id: 4625
- contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
- drop_event.when.and:
- equals.event_id: 4624
- contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
- drop_event.when.and:
- equals.event_id: 4625
- contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
- drop_event.when.and:
- equals.event_id: 4672
- contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
- drop_event.when.and:
- equals.event_id: 4624
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
...