How can I skip recording an event with these conditions

jftuga · April 16, 2021, 8:41pm

I am using winlogbeat. How can I exclude events that meet the following criteria:

event_id = 4670
only when the "related": "user" value ends with a $
(alternatively) the "user": "name" ends with a $

Values that end in a $ correspond to machine accounts and I am not interested logging these.

Thanks,
-John

Jason_Slater · April 17, 2021, 6:29am

Hi John,

You can add filtering in your winlogbeat.yml file -- see winlogbeat.reference.yml for examples

See this page for documentation on conditions:

Specifically, you would need to add something like this to your winlogbeat.yml file:

  processors:
      - drop_event:
          when:
            and:
              - equals:
                  event_id: 4670
              - or
                  - regexp:
                      related.user: "\\$$"
                  - regexp:
                      user.name: "\\$$"

system · May 15, 2021, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtering Winlogbeat on Event ID Beats winlogbeat	8	10042	July 5, 2017
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1173	November 18, 2020
Winlogbeat filter not working Beats winlogbeat	3	502	June 26, 2020
Filter when field is missing Beats winlogbeat	4	754	March 1, 2018
Winlogbeat filtering problem Beats winlogbeat	3	337	October 12, 2020

How can I skip recording an event with these conditions

Related topics