Filter WinEventLog Type by User.Name

jameswatson3 · October 19, 2017, 4:15pm

The question is specific to user.name but it also applies to any "multi-part" field like event_data.TargetUserName, etc which all have the same issue in my experience.

In the following config example, logs that match bob in the message field are matched and dropped but the filter will not match ann in the user.name field and that log will not be dropped.

filter {
  if [type] == "wineventlog" {
    if [message] =~ 'bob' or
    [user.name] =~ 'ann' {
     drop { }
    }
  }
}
...

Hopefully, I'm just missing something very simple here. Can anyone point me in the right direction?

magnusbaeck · October 19, 2017, 4:37pm

You're using the wrong syntax for nested fields, see https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

system · November 16, 2017, 4:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.