Droping winlog.event_data.LogonType: "3"

kubekpk · May 10, 2020, 11:09am

Hello,
Starting with ELK ,I'm trying to drop the following event without success
winlog.event_data.LogonType: "3"
Can someone help?

- name: Security
 ignore_older: 24h
 event_id: 4624, 4625, 7045, 4758, 4743, 4734, 4730, 4726, 4648, 4776, 4768, 1102, 106, 4662, 
 4728, 4729, 4672, 4767, 4740
 processors:
 - drop_event.when:
    and:
    - equals.event_id: 4624
    - equals.winlog.event_data.LogonType: "3"'

jsoriano · May 10, 2020, 12:42pm

Hey @kubekpk,

I think the condition for event_id should be equals.winlog.event_id: 4624, as the event_id field is under a winlog object.

You can take a look to this topic, where a similar configuration is discussed: Filter system logons

kubekpk · May 11, 2020, 11:27am

Thx.

system · June 8, 2020, 11:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Processor [drop_event] not dropping events Beats Winlogbeat Beats winlogbeat	3	646	July 31, 2019
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	809	April 29, 2021
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1179	November 18, 2020
Drop Events By ID Beats winlogbeat	2	329	August 22, 2019
Drop event if condition Logstash	7	3030	February 14, 2020

Droping winlog.event_data.LogonType: "3"

Related topics