Hello,
Please how can I create a filter AD event on winlogbeat ?(security,application,system)
I add some event id on each section but it doesn't work.
Thank You.
what I have written on winlogbeat.yml:
Security:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964
Application:5038,5039,4668
System: 4648,4657,4760,4688-4689,4697-4699
Hi @Hanen,
Can you please tell us which version of Winlogbeat are you using and share your winlogbeat.yml ?
Enclose your configuration between triple-backticks: ``` ..configuration.. ``` so it gets properly formatted.
Thanks for your replay,
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: 5038,5039,4668
- name: Security
ignore_older: 24h
event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,
4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,
4928-4937,4946-4960,4964
- name: System
ignore_older: 24h
event_id:4648,4657,4760,4688-4689,4697-4699
name: "NOM"
output.logstash:
hosts: ["@logstash:5044"]
Many thanks!!!!!!!
The indenting in your configuration is wrong. event_id should have the same indentation as ignore_older:
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: 5038,5039,4668
- name: Security
ignore_older: 24h
event_id:4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964
- name: System
ignore_older: 24h
event_id:4648,4657,4760,4688-4689,4697-4699
Yes in winlogbeat.yml event_id have the same indentation as ignore_older but it it doesn't work.
in winlogbeat.log: WARN EventLog[Security] Open() error. No events will be read from this source. The specified query is invalid
Can I create a processor like this?
processors:
- drop_event.when.and:
- equals.log_name: Security
- not.or:
- equals.event_id: 4634
- equals.event_id: 4624-4625
- equals.event_id: 4608-4609
- equals.event_id: 4700-4800
- equals.event_id: 4611
- equals.event_id: 4616
- equals.event_id: 4618
- equals.event_id: 4621
- equals.event_id: 4627
- equals.event_id: 4646-4649
- equals.event_id: 4657
- equals.event_id: 4662-4664
- equals.event_id: 4670
- equals.event_id: 4672-4674
- equals.event_id: 4819
- equals.event_id: 4825
- equals.event_id: 4864-4902
- equals.event_id: 4908
- equals.event_id: 4913
- equals.event_id: 4928-4937
- equals.event_id: 4946-4960
- equals.event_id: 4964
Is it true?
thanks
I recommend you use the event_id filtering, as it is more efficient than a drop_event processor.
There were still some errors in your configuration. It worked for me with this:
winlogbeat.event_logs:
- name: Application
ignore_older: 24h
event_id: '5038,5039,4668'
- name: Security
ignore_older: 24h
event_id: '4634,4624-4625,4608-4609,4700-4800,4611,4616,4618,4621,4627,4646-4649,4657,4662-4664,4670,4672-4674,4819,4825,4864-4902,4908,4913,4928-4937,4946-4960,4964'
- name: System
ignore_older: 24h
event_id: '4648,4657,4760,4688-4689,4697-4699'Hello, thank you so much, it worked for me 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.