Filter system logons

jsoriano · April 15, 2020, 9:15am

Umm, this event should have been skipped with this config:

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - or:
            - equals.winlog.event_data.TargetUserName: "SYSTEM"
            - equals.winlog.event_data.TargetUserName: "NAMESQL"

To add more rules to match names you don't need to remove these ones, you can for example add your regexp, and keep the rule for the SYSTEM user:

winlogbeat.event_logs:
- name: Security
  processors:
  - drop_event:
      when:
        and:
          - or:
            - equals.winlog.event_id: 4624
            - equals.winlog.event_id: 4634
          - or:
            - equals.winlog.event_data.TargetUserName: 'SYSTEM'
            - regexp.winlog.event_data.TargetUserName: '^SQL.*\$'

Topic		Replies	Views
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Winlogbeat filtering problem Beats winlogbeat	3	337	October 12, 2020
Winlogbeat filter not working Beats winlogbeat	3	502	June 26, 2020
Filter :Active Directory Event Beats winlogbeat	8	760	June 7, 2018
Winlogbeat inop filter with more than 2 lines Beats winlogbeat	4	601	May 3, 2021

Filter system logons

Related topics