Filtering Winlogbeat on Event ID

Sean_Lamm · March 9, 2016, 1:57pm

Is there a way to filter events in winlogbeat so I am only sending certain event id's? I am specifically looking to send only event id 8003 for now to limit the transmission of data to our ELK stack. I have around 20,000 machines that could send data.

Thanks!

andrewkroh · March 9, 2016, 2:27pm

That's a lot of machines. See the discussion here: Filtering Winlogbeat Events

Summarizing that thread, a filtering feature is being added to all beats. Relevant here is drop_event in the proposal. Additionally there is a request for using XPath queries in Winlogbeat, but that's further out (#1053 is first in line).

At the current time you need to use Logstash to do filtering.

Sean_Lamm · March 9, 2016, 2:30pm

Any creative ideas I can try now to limit the data flow to the ELK stack?

andrewkroh · March 9, 2016, 2:47pm

With Logstash you can do this:

input {
  beats {
    port => 5044
  }
}

filter {
  if [type] == "wineventlog" and [event_id] != 8003 {
    drop { } 
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

Sean_Lamm · March 9, 2016, 2:51pm

Thanks for the quick responses!

This will only prevent the events from being captured by logstash and not prevent winlogbeat from sending them to the logstash server. I really am looking for a way to prevent the traffic flow to the logstash server.

How long until the drop_event feature will be added? Can I beta test the release?

Thanks!

andrewkroh · March 9, 2016, 3:09pm

The feature is targeted to v5 (the next major release), but it hasn't been implemented so there's nothing to test yet.

Dave_Foster · March 10, 2016, 4:14am

Thx for this reply. I was actually looking for something similar. In my case there seemed to be a syntax problem with the above. I used the following (changing the eventID to event_id and removing the quotes around the 4634...

input {
  beats {
    port => 5040
#   ssl => false
#   ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
#   ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "wineventlog" and [event_id] == 4624 or [event_id] == 4634 {
    drop { } 
  }
}



output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

andrewkroh · March 14, 2016, 8:49pm

Thanks @Dave_Foster. I updated my post to reflect the changes you made.