I am using
winlogbeat. How can I exclude events that meet the following criteria:
- event_id = 4670
- only when the "related": "user" value ends with a $
- (alternatively) the "user": "name" ends with a $
Values that end in a $ correspond to machine accounts and I am not interested logging these.
You can add filtering in your winlogbeat.yml file -- see winlogbeat.reference.yml for examples
See this page for documentation on conditions:
Specifically, you would need to add something like this to your winlogbeat.yml file:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.