Filter winlogbeat

Elastic Stack Beats
1

Hello,

As part of the implementation of a centralized logging system in my company I am configuring winlogbeat to visualize my logs of login and logoff.
I send the data directly to the elasticsearch cloud.
But I am poled by internal connection of my cluster so I need to make filters.

Here is what I put in my winlogbeat.yml file:

processors:
  - drop_event.when.or: 
    - regexp.winlog.event_data.SubjectUserName: '.*\$'
    - regexp.winlog.event_data.TargetUserName: '.*\$'
    - regexp.winlog.event_data.TargetUserName: 'HealthMailbox*'
    - equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
    - equals.winlog.event_data.LogonType: '0'
    - equals.winlog.event_data.LogonType: '5'

But the display in SIEM is no longer viable ...
So I put this:

processors:
  - drop_event.when.or: 
    - regexp.winlog.event_data.SubjectUserName: '.*\$'
    - regexp.winlog.event_data.TargetUserName: '.*\$'
    - regexp.winlog.event_data.TargetUserName: 'HealthMailbox*'
    - equals.winlog.event_data.TargetUserName: 'ANONYMOUS LOGON'
    - equals.winlog.event_data.LogonType: '0'
    - equals.winlog.event_data.LogonType: '5'
processors:
  - script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

But now the filter does not work anymore ...
Could you help me?

Thank you

2

hi @DorianL, I see you are defining the processors 2 times in your config file. Can you add the script processor under the first processors tag and let us know if this worked in your case?

3

After a weekend of tests, it finally works thanks to you, thank you very much :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.