Filter out Windows proccesses

Thomas_Kucirek · May 9, 2019, 3:04pm

Hi, i want to filter the events collected by the winlogbeat. Because it is a lot of unwanted noise, i want to drop all events that come from the System32 processes like svchost, backGroundTaskhost etc.

I've tried using drop_event in different ways but it does not seem to work since it is still included in the output.
I tried several ways based on examples i found but none of them seem to do anything:

 - drop_event:
    when.or:
      - regexp.event_data.NewProcessName: 'C:\\Windows\\System32\\*'

  - drop_event:
     when:
       equals.event_data.ParentProcessName: ['C:\\Windows\\System32\\svchost.exe']


  - drop_event:
     when:
        contains:
           event_data.NewProcessName: ["C:\\Windows\\System32*"]

Any help for this is very much appreciated and i hope the formatting was ok.
Thanks

Thomas_Kucirek · May 9, 2019, 4:24pm

Ok I managed to work around it by filtering the message of the event for the System32 directory and drop the event if it is contained:

  - drop_event.when:
       contains.message: "C:\\Windows\\System32\\"

But later on i would like to drop the field message if possible so any further directions would be helpful.

Topic		Replies	Views
Drop_event not working via process name or path Beats winlogbeat	3	600	March 29, 2022
Winlogbeat drop event with process path Beats winlogbeat	1	446	July 17, 2021
Try to take only log from on application Beats winlogbeat	4	473	June 10, 2020
Unable to drop events Beats winlogbeat	6	1049	June 28, 2018
Filtering not working Beats winlogbeat	8	778	July 9, 2020

Filter out Windows proccesses

Related topics