I'm trying to filter out some specific values for the Windows event id 4663. We have one computer that generates 99% of these events and we want to filter that out. Below is what I have but it's not working. The add_tag is to let me know that it's working correctly before I change it to drop the logs.
I'm having troubles at the [event_data][SubjectUserName] line. The tag isn't added here but if I remove this line it adds the tag for all 4663 events but I want filter based on the SubjectUserName. Any ideas what I'm missing?
filter {
if "winlogbeat" in [tags] {
if [EventID] == 4663 {
if [event_data][SubjectUserName] == "NoisyHost$" {
mutate {
add_tag => [ "4663_dropped" ]
}
}
}
}
}
Without an example document it is difficult, but it looks like it is a winlogbeat document.
Possibly you can chance 4663 to "4663" or escape the hostname by "NoisyHost\$".
What is possibly as well is, that the path to the EventID or SubjectUsername is wrong.
Maybe you can provide an anonymized example document?
That is a string comparison that matches a string that ends with a dollar sign. If you meant it to match any name that ends with NoisyHost you would have to replace == with =~
I'm trying to match a computer account name which has a dollar sign at the end. I could probably get by with just matching the hostname without the dollar sign but I'm not sure how to do a partial match.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.