Drop_event from Win firewall

vabe · December 2, 2022, 8:16am

Hey guys, I'm looking for help here as a last resort. Can't find a solution..

I want to drop events from Win firewall log

the line is:

message
2022-12-02 08:53:10 ALLOW TCP 127.0.0.1 127.0.0.1 50740 389 0 - 0 0 0 - - - SEND

I don't want to send every line which contains 127.0.0.1 127.0.0.1

So I tried literally tenths of regex combinations and nothing worked. All event's still come threw to my Graylog server.

processors:
    - drop_event:
        when:
            regexp:
                message: '(127\.0\.0\.1).(127\.0\.0\.1)'

processors:
    - drop_event:
        when:
            regexp:
                message: '\s\b(127\.0\.0\.1)\b\s\b(127\.0\.0\.1)\b\s'

etc etc..

Is there an obvious mistake? Please help

system · December 30, 2022, 10:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Would dropping events by regexp match be possible? Beats winlogbeat	3	601	January 17, 2020
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	356	July 23, 2020
Winlogbeat - multiple event_id's and processor drop_events Beats winlogbeat	2	138	May 28, 2024
Drop event does not work for specific field Beats winlogbeat	2	237	January 1, 2024
RegEx / RegExp NOT Condition Help Beats winlogbeat	2	994	November 22, 2018