Umm, this event should have been skipped with this config:
winlogbeat.event_logs:
- name: Security
processors:
- drop_event:
when:
and:
- or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4634
- or:
- equals.winlog.event_data.TargetUserName: "SYSTEM"
- equals.winlog.event_data.TargetUserName: "NAMESQL"
To add more rules to match names you don't need to remove these ones, you can for example add your regexp, and keep the rule for the SYSTEM user:
winlogbeat.event_logs:
- name: Security
processors:
- drop_event:
when:
and:
- or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4634
- or:
- equals.winlog.event_data.TargetUserName: 'SYSTEM'
- regexp.winlog.event_data.TargetUserName: '^SQL.*\$'