Help with Winlogbeat yaml config

xxstyler20xx · November 30, 2019, 9:30pm

Hello I'm new to this and I just can't find the rigt answer for my problem..
I'm stuck with my winlogbeat yaml conf.
//
event_logs:

name: Security
event_id: 4625, 4624
processors:
drop_fields:
fields: ["message"]
//
this works

But now I want to drop event_id 4624 when NOT:

equals.event_data.TargetUserName: Administrator
OR NOT
equals.event_data.TargetUserName: root

I tried many different ways I found on the internet but no matter how I write it I just get errors...

Thanks for help!
{NOTE: massage field should always drop.. }

xxstyler20xx · December 1, 2019, 5:40pm

nobody??

rugenl · December 1, 2019, 11:13pm

I don't understand your logic. Let's test with 3 matching event_id's, one each where TargetUserName is "Administrator", "root", and "bob".

You drop "Administrator" because it is not "root". You drop "root" because it is not "Administrator", you drop "bob" because both match. It looks your logic logic drops everything.

If that doesn't help, your syntax and error messages would help.

xxstyler20xx · December 1, 2019, 11:27pm

Yeah.. Could be ..I‘m really pretty new to this.. So forget about the mistakes I made..

I want to only get event 4624 logged when the username is Administrator or root

rugenl · December 2, 2019, 12:55am

I think it's very confusing logic, someone else on our team handles these, I tend to send it all to logstash and let it sort it out. But, I think it's something like this:

processors:
- drop_event:
    when:
      and:
      - not:
        - or:
          - equals.TargetUserName: Administrator
          - equals.TargetUserName: root
      - equals.event_data.event_id: 4624

Use a YAML lint tool to validate your file before using it in winlogbeat.

xxstyler20xx · December 2, 2019, 4:42am

Thanks very much I will give it a shot..
why is it confusing .. don‘t get your point.. for me your config is confusing :‘)

because i want drop event 6524 when username not administrator or root..

the code you send me looks like not drop
4624, or admin , or root ..

The next thing is.. in other posts they write „winlog.eventdata.targetusername“ ..
So thats confusing for me .. also the point with the - symbol.. depends on the page dou look everyone writes different and i get only „missing key here, wrong symbol here.. and so an errors..

Also there is no team that handles anything..

rugenl · December 2, 2019, 1:56pm

I think most of those errors are YAML formatting errors. I think it will help you to validate the YAML with a linter (linked above) to get valid YAML before testing in beats.

Dashes are array syntax in YAML see the array section here.

In my guess above, the and can have a '-' and it's still valid yaml, it's just a 1 element array. The "- not" and "- equals.event_data.event_id" are elements of the "and", in the doc . The "- or" is a complex conditional also with 2 elements.

YAML "equals.event_data.event_id: 4624" is the same as

equals:
  event_data.event_id: 4624

Just different format, adding to the confustion.

system · December 30, 2019, 3:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.