Drop_event from Win firewall

vabe · December 2, 2022, 8:16am

Hey guys, I'm looking for help here as a last resort. Can't find a solution..

I want to drop events from Win firewall log

the line is:

message
2022-12-02 08:53:10 ALLOW TCP 127.0.0.1 127.0.0.1 50740 389 0 - 0 0 0 - - - SEND

I don't want to send every line which contains 127.0.0.1 127.0.0.1

So I tried literally tenths of regex combinations and nothing worked. All event's still come threw to my Graylog server.

processors:
    - drop_event:
        when:
            regexp:
                message: '(127\.0\.0\.1).(127\.0\.0\.1)'

processors:
    - drop_event:
        when:
            regexp:
                message: '\s\b(127\.0\.0\.1)\b\s\b(127\.0\.0\.1)\b\s'

etc etc..

Is there an obvious mistake? Please help

system · December 30, 2022, 10:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.