This topic has been addressed before and I've read other people's solutions, no luck. Have tried multiple combinations of and/or to drop windows event logs 4624 or 4634 with LogonType 0,3 or 5. However, it is still not dropping any events i.e. still coming through discover. Here's the latest from winlogbeat.yml. Assume I just restart the winlogbeat service after changes?
If LogonType is a string in the _source JSON in Discover then you must have the same data type in your YAML. So add quotes around the LogonType values.
AFAIK that field does not exist, but related.user does.
If it's useful for anyone else, here's what's working for me. This filters out winlogbeat event ids 4624 and 4634 and reduces a lot of the "noise" and only logs "real" users. Obviously replace SERVER$ and USERNAME$ from your Analytics->Discover in Kibana
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.