Dropping Events using Winlogbeat Processors

popa · October 3, 2018, 12:24am

Good morning!

I've done some reading in Winlogbeat's documentation and wanted to confirm the syntax of a processor that I'm trying to implement.

I have a noisy event that I want to drop before it makes it to Logstash --> Elasticsearch --> Kibana. Here's the query I use in Kibana to pull the events:

event_data.ProcessName: "*Scan64.Exe" AND event_id: "4656"
event_data.ProcessName: "*mcshield.exe" AND event_id: "4663"

I believe the structure of the processor should look something like this:

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["Scan64.Exe"]
       equals:
           event_id: ["4656"]

and

processors:
- drop_event:
    when:
       equals:
           event_data.ProcessName: ["mcshield.exe"]
       equals:
           event_id: ["4663"]

Does this look like the correct syntax to drop both of the conditions that I described above?

Thank you in advance for your help!

popa · October 3, 2018, 2:15am

Currently testing out the following and will update this post if it works:

processors:
- drop_event.when.and:
    - equals.event_data.ProcessName: 'mcshield.exe'
    - equals.event_id: '4663'
- drop_event.when.and:
    - equals.event_data.ProcessName: 'Scan64.Exe'
    - equals.event_id: '4656'

andrewkroh · October 3, 2018, 8:37pm

Your last post looks like it uses the correct syntax.

popa · October 4, 2018, 7:14am

Implemented the change, however, it's not dropping the events. Here's what I have:

processors:
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe'
  - equals.event_id: '4663'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4656'
- drop_event.when.and:
  - equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
  - equals.event_id: '4689'

Ideally this will drop any event that matches the following queries:

(event_data.ProcessName: "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe" and event_id: "4663")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4656")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4689")

Are there any issues with using ' ' versus using " " when using Windows paths?

andrewkroh · October 4, 2018, 1:43pm

How about trying with equals.event_id: 4689 (no quotes, where the event_id is a number rather than a string)?

popa · October 5, 2018, 1:07am

Looks like it works so far, @andrewkroh. Thanks!

system · November 2, 2018, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.