Hi all. We are trying to accomplish such task:
Log auth events from windows security logs.
We set winlogbeat to export data to logstash. But problem is that there are too much incoming events with the same id. So we need to filter it by certain field.
We made logstash filter like:
if [event][code] == 4624 and [winlog][event_data][LogonType] != 10 {
drop { }
But its no go. All 4624 events dropped
Then we made winlogbeat settings like:
– name: Security
event_id: 4624
processors:
– drop_event.when.not.equals.winlog.event_data.LogonType: 10
But it does not work too. Also blocks all 4624 events.
Can someone explain, how correctly filter event by field value?