popa
October 3, 2018, 12:24am
1
Good morning!
I've done some reading in Winlogbeat's documentation and wanted to confirm the syntax of a processor that I'm trying to implement.
I have a noisy event that I want to drop before it makes it to Logstash --> Elasticsearch --> Kibana. Here's the query I use in Kibana to pull the events:
I believe the structure of the processor should look something like this:
processors:
- drop_event:
when:
equals:
event_data.ProcessName: ["Scan64.Exe"]
equals:
event_id: ["4656"]
and
processors:
- drop_event:
when:
equals:
event_data.ProcessName: ["mcshield.exe"]
equals:
event_id: ["4663"]
Does this look like the correct syntax to drop both of the conditions that I described above?
Thank you in advance for your help!
popa
October 3, 2018, 2:15am
2
Currently testing out the following and will update this post if it works:
processors:
- drop_event.when.and:
- equals.event_data.ProcessName: 'mcshield.exe'
- equals.event_id: '4663'
- drop_event.when.and:
- equals.event_data.ProcessName: 'Scan64.Exe'
- equals.event_id: '4656'
andrewkroh
(Andrew Kroh)
October 3, 2018, 8:37pm
3
Your last post looks like it uses the correct syntax.
popa
October 4, 2018, 7:14am
4
Implemented the change, however, it's not dropping the events. Here's what I have:
processors:
- drop_event.when.and:
- equals.event_data.ProcessName: 'C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe'
- equals.event_id: '4663'
- drop_event.when.and:
- equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
- equals.event_id: '4656'
- drop_event.when.and:
- equals.event_data.ProcessName: 'C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe'
- equals.event_id: '4689'
Ideally this will drop any event that matches the following queries:
(event_data.ProcessName: "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe" and event_id: "4663")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4656")
(event_data.ProcessName: "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.Exe" and event_id: "4689")
Are there any issues with using ' '
versus using " "
when using Windows paths?
andrewkroh
(Andrew Kroh)
October 4, 2018, 1:43pm
5
How about trying with equals.event_id: 4689
(no quotes, where the event_id is a number rather than a string)?
popa
October 5, 2018, 1:07am
6
Looks like it works so far, @andrewkroh . Thanks!
system
(system)
Closed
November 2, 2018, 1:07am
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.