Processor [drop_event] not dropping events

ver 5.1.1

I have the below implemented to drop windows events not needed, but am still getting events that should be blocked.

I had previously tried

processors:

  • drop_event:
    when:
    not:
    equals:
    event_id: 1102 OR 4618 OR 4624 OR 4625 OR 4648 OR 4649 OR 4657 OR 4672 OR 4692 OR 4693 OR 4694 OR 4706 OR 4714 OR 4724 OR 4735 OR 4740 OR 4892 OR 4896 OR 4897 OR 4963 OR 4964 OR 4964 OR 5030 OR 5124 OR 6272 OR 6273 OR 6274 OR 6275 OR 6276 OR 6277 OR 6278 OR 6279 OR 6280 OR 10028

but this did not seem to work.

###################### Winlogbeat Configuration Example ##########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.full.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ==========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
      #ignore_older: 72h
  - name: Security
  - name: System

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["xxx.xx.xxx.xxx:xxxx"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: critical


# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

processors:
 - drop_event:
     when:
       equals:
        event_id: 512 OR 513 OR 514 OR 515 OR 516 OR 517 OR 518 OR 519 OR 520 OR 521 OR 528 OR 529 OR 530 OR 531 OR 532 OR 533 OR 534 OR 535 OR 536 OR 537 OR 538 OR 539 OR 540 OR 551 OR 552 OR 560 OR 561 OR 562 OR 563 OR 564 OR 565 OR 566 OR 567 OR 576 OR 577 OR 578 OR 592 OR 593 OR 594 OR 595 OR 596 OR 600 OR 601 OR 602 OR 608 OR 609 OR 610 OR 611 OR 612 OR 613 OR 614 OR 615 OR 616 OR 617 OR 618 OR 619 OR 620 OR 621 OR 622 OR 623 OR 624 OR 625 OR 626 OR 627 OR 628 OR 629 OR 630 OR 631 OR 632 OR 633 OR 634 OR 635 OR 636 OR 637 OR 638 OR 639 OR 640 OR 641 OR 642 OR 643 OR 644 OR 645 OR 646 OR 647 OR 648 OR 649 OR 650 OR 651 OR 652 OR 653 OR 654 OR 655 OR 656 OR 657 OR 658 OR 659 OR 660 OR 661 OR 662 OR 663 OR 664 OR 665 OR 666 OR 667 OR 668 OR 669 OR 670 OR 671 OR 672 OR 673 OR 674 OR 675 OR 676 OR 677 OR 678 OR 679 OR 680 OR 681 OR 682 OR 683 OR 684 OR 685 OR 686 OR 687 OR 688 OR 689 OR 690 OR 691 OR 692 OR 693 OR 694 OR 695 OR 696 OR 697 OR 806 OR 807 OR 808 OR 809 OR 848 OR 849 OR 850 OR 851 OR 852 OR 853 OR 854 OR 855 OR 856 OR 857 OR 858 OR 859 OR 860 OR 861 OR 1100 OR 1101 OR 1104 OR 1105 OR 1108 etc
1 Like

What you have provided in the equals condition is a string so your filter says to drop the event when the event ID equals the string of "512 OR 513 OR ...". This will never match.

The way to write this type of condition is:

processors:
- drop_event.when.or:
  - equals.event_id: 512
  - equals.event_id: 513
  - equals.event_id: 514

This is similar to the example given here: https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#_event_logs_event_id

1 Like

Ok, thanks, that makes more sense now.

Is the syntax correct for this, if I want to not drop events that have the below text in them?

-contains.event_data.param3: "powershell.exe","powershell_ise.exe"

Drop an event when it does not contain powershell.exe or powershell_ise.exe.

processors:
- drop_event.when.not.or:
  - contains.event_data.param3: powershell.exe
  - contains.event_data.param3: powershell_ise.exe

Thank you.

I put in the below, and the config check says it is OK, but then I am still getting events outside of the allowed.

processors:
- drop_event.when.not.or:
    - equals.event_id: 1102
    - equals.event_id: 4618
    - not.equals.event_id: 4624
    - not.equals.event_id: 4625
    - not.equals.event_id: 4648
    - not.equals.event_id: 4649
    - not.equals.event_id: 4657
    - not.equals.event_id: 4672
    - not.equals.event_id: 4692
    - not.equals.event_id: 4693
    - not.equals.event_id: 4694
    - not.equals.event_id: 4706
    - not.equals.event_id: 4714
    - not.equals.event_id: 4724
    - not.equals.event_id: 4735
    - not.equals.event_id: 4740
    - not.equals.event_id: 4892
    - not.equals.event_id: 4896
    - not.equals.event_id: 4897
    - not.equals.event_id: 4963
    - not.equals.event_id: 4964
    - not.equals.event_id: 4964
    - not.equals.event_id: 5030
    - not.equals.event_id: 5124
    - not.equals.event_id: 6272
    - not.equals.event_id: 6273
    - not.equals.event_id: 6274
    - not.equals.event_id: 6275
    - not.equals.event_id: 6276
    - not.equals.event_id: 6277
    - not.equals.event_id: 6278
    - not.equals.event_id: 6279
    - not.equals.event_id: 6280
    - contains.event_data.param3: powershell.exe
    - contains.event_data.param3: powershell_ise.exe

You didn't mention that you wanted to combine all of these conditions. That's a pretty complex filter. Maybe you could explain in words what you are trying to accomplish. Or try splitting these into multiple filters that are easier to reason about.

processors:
# drop when ((event_id == NNNN) AND !(param3 contains powershell.exe OR param3 contains powershell_ise.exe))
- drop_event.when:
    and:
      - equals.event_id: NNNN
      - not.or:
        - contains.event_data.param3: powershell.exe
        - contains.event_data.param3: powershell_ise.exe
# drop when (event_id == 1102 OR event_id == 4618)
- drop_event.when:
    or:
    - equals.event_id: 1102
    - equals.event_id: 4618
# drop when !(event_id == 4624 OR event_id == 4625)
- drop_event.when.not:
    or:
    - equals.event_id: 4624
    - equals.event_id: 4625

Hmm, ok.

I would like to only show in Logstash those 33 windows events, or any event that has powershell.exe or powershell_ise.exe in it.

I think this should do it. You just need to extend it to include all 33 event_ids.

- drop_event.when.not.or:
  - equals.event_id: 4626
  - equals.event_id: 4625
  - contains.event_data.param3: powershell.exe
  - contains.event_data.param3: powershell_ise.exe

Oh my, I messed up the above filter example, thank you, that is what I thought I had at one point.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.