Drop_event syntax trouble with multiple processors (7.7.1)

Elastic Stack Beats
1

This will get past the configuration check, but appears that it filters all events out.

I think the OR is what is tripping me up. The other posts I've studied are close, but I can't recreate a working solution.

The logic is:

drop_event.when.not:
 (event id == 4624) -and (LogonType in [2,7,10])
or
  (event id == 4634) -and (LogonType in [2,7,10])
or
  event id == 4616
  event id == 4625
  event id == 4778

And this is my attempt:

- winlogbeat.event_logs:
  - name: Security
    tags: ["winlog_security"]
    ignore_older: 24h
    processors:
        - drop_event.when.not:
            -and:
            equals.event_id: 4624
            -and:
                equals.winlog.event_data.LogonType: "2"
                equals.winlog.event_data.LogonType: "7"
                equals.winlog.event_data.LogonType: "10"
            equals.event_id: 4634
            -and:
                equals.winlog.event_data.LogonType: "2"
                equals.winlog.event_data.LogonType: "7"
                equals.winlog.event_data.LogonType: "10"
            -or:
                equals.event_id: 4616
                equals.event_id: 4625
                equals.event_id: 4778
2

This appears to read more like the goal, but doesn't pass the config check.

  - name: Security
    tags: ["winlog_security"]
    ignore_older: 24h
    processors:
      - drop_event.when.not.or:
        equals.event_id: 4624
        - or:
          equals.winlog.event_data.LogonType: "2"
          equals.winlog.event_data.LogonType: "7"
          equals.winlog.event_data.LogonType: "10"
        equals.event_id: 4634
        - or:
          equals.winlog.event_data.LogonType: "2"
          equals.winlog.event_data.LogonType: "7"
          equals.winlog.event_data.LogonType: "10"
        - or:
          equals.event_id: 4616
          equals.event_id: 4625
          equals.event_id: 4778
3

Attempting to simplify, still not the intended results.
(cycling the service in between)
Config is good.

winlogbeat.event_logs:
  - name: Security
    tags: ["winlog_security"]
    ignore_older: 24h
    processors:
      - drop_event.when.not.and:
        - equals.event_id: 4624
        - contains.winlog.event_data.LogonType: "7"
4

I encountered a problem (I think a bug) with 7.13. Dropping by the numeric id wouldn't work, but this did:

 - drop_event.when:
          contains.winlog.event_id: "8013"
5

So, do you think equals.event_id not working is a bug? I do, it's documented to work.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.