Problems with AND in drop_events.when.or

Matthew_Smith · October 14, 2020, 3:43pm

I'm trying to drop a particular event id (4624 or 4627) when the TargetUserName is SYSTEM and then also just always drop event id 5379. What am I doing wrong here?

# Needed for Graylog

fields_under_root: true

fields.collector_node_id: ${sidecar.nodeName}

fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:

  hosts: ["HOST"]

path:

  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data

  logs: C:\Program Files\Graylog\sidecar\logs

tags:

- windows

winlogbeat:

event_logs:

  - name: Application

  - name: System

  - name: Security

processors:

- drop_event.when.or:

  - equals.event_id: 5379

  - and:

    - equals.winlogbeat_event_data_TargetUserName: SYSTEM

    - or:

      - equals.event_id: 4624

      - equals.event_id: 4627

andrewkroh · October 14, 2020, 4:49pm

That field name looks wrong. It should be winlog.event_data.TargetUserName.

Matthew_Smith · October 14, 2020, 5:37pm

Good catch!

I'm breaking it down to be more simple and I'm still having problems with SYSTEM TargetUserName coming through with just:

processors:
- drop_event.when.or:
  - equals.event_id: 5379
  - and:
    - equals.winlogbeat_event_data.TargetUserName: SYSTEM

but this works just fine:

processors:
- drop_event.when.or:
  - equals.event_id: 5379
  - equals.winlogbeat_event_data.TargetUserName: SYSTEM

Any idea?

system · November 11, 2020, 7:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.