Droping winlog.event_data.LogonType: "3"

kubekpk · May 10, 2020, 11:09am

Hello,
Starting with ELK ,I'm trying to drop the following event without success
winlog.event_data.LogonType: "3"
Can someone help?

- name: Security
 ignore_older: 24h
 event_id: 4624, 4625, 7045, 4758, 4743, 4734, 4730, 4726, 4648, 4776, 4768, 1102, 106, 4662, 
 4728, 4729, 4672, 4767, 4740
 processors:
 - drop_event.when:
    and:
    - equals.event_id: 4624
    - equals.winlog.event_data.LogonType: "3"'

jsoriano · May 10, 2020, 12:42pm

Hey @kubekpk,

I think the condition for event_id should be equals.winlog.event_id: 4624, as the event_id field is under a winlog object.

You can take a look to this topic, where a similar configuration is discussed: Filter system logons

kubekpk · May 11, 2020, 11:27am

Thx.

Topic		Replies	Views
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	880	April 29, 2021
Processor [drop_event] not dropping events Beats Winlogbeat Beats winlogbeat	3	684	July 31, 2019
Drop event if condition Logstash	7	3222	February 14, 2020
Drop_event syntax trouble with multiple processors (7.7.1) Beats winlogbeat	5	452	July 23, 2021
Winlogbeat doesn't drop events Beats winlogbeat	5	663	June 7, 2023

Droping winlog.event_data.LogonType: "3"

Related topics