Hey guys,
I am a total amateur with logstash and I try to build something small, I think. I am currently using winlogbeat to get windows events, but I want to customize the filter a bit.
The goal of my filter is that I want to drop all logs with level "information", except logs with the log_name: "Dhcp-Server" or winlog.event_id "4740".
Win Event "4740" accurs if a user is locking himself, 10 times wrong password.
Small Information: I am using a german windows server dc, and because of that the log_level is "informationen" its the same value I see in Kibana.
filter {
if "active directory" in [tags] {
if [log][level] == "informationen" and [log_name] != "Dhcp-Server" or [winlog][event_id] != "4740"{
drop { }
}
mutate {
remove_field => [ "host"]
}
}
}
But it never get the 4740 messages to appear in kibana, so I assume that something is wrong there. It seems that the "drop" drops all events with log.level informations and doesnt care the rest in the if statement.
Best regards,