How can I skip recording an event with these conditions

jftuga · April 16, 2021, 8:41pm

I am using winlogbeat. How can I exclude events that meet the following criteria:

event_id = 4670
only when the "related": "user" value ends with a $
(alternatively) the "user": "name" ends with a $

Values that end in a $ correspond to machine accounts and I am not interested logging these.

Thanks,
-John

Jason_Slater · April 17, 2021, 6:29am

Hi John,

You can add filtering in your winlogbeat.yml file -- see winlogbeat.reference.yml for examples

See this page for documentation on conditions:

Specifically, you would need to add something like this to your winlogbeat.yml file:

  processors:
      - drop_event:
          when:
            and:
              - equals:
                  event_id: 4670
              - or
                  - regexp:
                      related.user: "\\$$"
                  - regexp:
                      user.name: "\\$$"

system · May 15, 2021, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.