Config check, filtering out users

Hey guys,

I'm a bit new to elastic so I can hope a 'specialist' can help me out here.
I am trying to filter out some security log records from our Exchange servers and it does not seem to be working. The config is tested and it seems to be okay.

I am trying to filter as much as possible on the client side to make the forwarding of events to the elastic cluster efficient. We currently do not have logstash implemented.
As far as I know, this is currently not a requirement as winlogbeat already sends it in the correct format to the cluster.

Can you help me out and point me in the right direction?
Any input is appreciated!

winlogbeat.yml:

...
  - name: Security
    ignore_older: 24h
    event_id: 1100, 1102, 4624, 4625, 4634, 4648, 4657, 4697, 4700-4800, 4946, 4947, 4950, 5025
    processors:
      - drop_event.when.and:
        - equals.event_id: 4634
        - contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
      - drop_event.when.and:
        - equals.event_id: 4624
        - contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
      - drop_event.when.and:
        - equals.event_id: 4625
        - contains.event_data.TargetUserName: HealthMailbox* # Drop Exchange HealthMailbox* logons
      - drop_event.when.and:
        - equals.event_id: 4624
        - contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
      - drop_event.when.and:
        - equals.event_id: 4625
        - contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
      - drop_event.when.and:
        - equals.event_id: 4672
        - contains.event_data.TargetUserName: "${COMPUTERNAME}$" # Drop local logons (such as EXCHANGE01$)
      - drop_event.when.and:
        - equals.event_id: 4624
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
...

It should be winlog.event_id and winlog.event_data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.