Hi
I'm having a problem with winlogbeat not publishing events to logstash when I configure the processors for Security events so that I can specify more than the 22 limit:
- name: Security
ignore_older: 72h
processors:
- drop_event.when.not.or:
- equals.event_id: 1100
- equals.event_id: 1102
- equals.event_id: 1104
- equals.event_id: 4608-4609
- equals.event_id: 4616
- equals.event_id: 4624-4627
- equals.event_id: 4634
- equals.event_id: 4647-4649
- equals.event_id: 4672
- equals.event_id: 4688
- equals.event_id: 4697
- equals.event_id: 4703-4705
- equals.event_id: 4720-4767
- equals.event_id: 4778-4779
- equals.event_id: 4783-4792
- equals.event_id: 4886-4888
- equals.event_id: 5140
- equals.event_id: 5142-5144
- equals.event_id: 5148-5149
- equals.event_id: 5632-5633
- equals.event_id: 6416
- equals.event_id: 6420-6424
If I take the processors out everything makes it to logstash.
- name: Security
ignore_older: 72h
Just in case I had too many filters I tried just the one and it doesn't work either
- name: Security
ignore_older: 72h
processors:
- drop_event.when.not.or:
- equals.event_id: 4624
The debug logs indicate the events are being filtered out when I have the processors configured:
2019-05-20T15:33:12.284+0100 DEBUG [publisher] pipeline/client.go:200 Pipeline client receives callback 'onFilteredOut' for event: %+v{2019-05-20 14:33:11.6114434 +0000 UTC null {"event":{"action":"Logon","code":4624,"created":"2019-05-20T14:33:12.284Z","kind":"event"},"log":{"level":"information"},"message":"An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-664342396-1520592568-226259266-113888\n\tAccount Name:\t\t<REMOVED>\n\tAccount Domain:\t\t <REMOVED> \n\tLogon ID:\t\t0xCB4B844\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{<REMOVED>}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t<REMOVED>\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","winlog":{"activity_id":"{0C83FCBA-5742-0002-648E-E02FDA0ED501}","api":"wineventlog","channel":"Security","computer_name":"<REMOVED>","event_data":{"AuthenticationPackageName":"Kerberos","ElevatedToken":"%%1842","ImpersonationLevel":"%%1833","IpAddress":"<REMOVED>","IpPort":"0","KeyLength":"0","LmPackageName":"-","LogonGuid":"{<REMOVED>}","LogonProcessName":"Kerberos","LogonType":"3","ProcessId":"0x0","ProcessName":"-","RestrictedAdminMode":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","SubjectUserName":"-","SubjectUserSid":"S-1-0-0","TargetDomainName":"<REMOVED>","TargetLinkedLogonId":"0x0","TargetLogonId":"0xcb4b844","TargetOutboundDomainName":"-","TargetOutboundUserName":"-","TargetUserName":"<REMOVED>","TargetUserSid":"<REMOVED>","TransmittedServices":"-","VirtualAccount":"%%1843","WorkstationName":"-"},"event_id":4624,"keywords":["Audit Success"],"opcode":"Info","process":{"pid":764,"thread":{"id":860}},"provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","provider_name":"Microsoft-Windows-Security-Auditing","record_id":14946,"task":"Logon","version":2}} {Security 14946 2019-05-20 14:33:11.6114434 +0000 UTC <BookmarkList>
I'm using winlogbeat 7.0.1
Any ideas?
Thanks, Kevin