So this is a two-fer, filtering and processing with the security module
https://www.elastic.co/guide/en/beats/winlogbeat/master/winlogbeat-module-security.html
What is the proper syntax for this?
The article has this, so that the script applies to the security entries - but in my case they're "ForwardedEvents" and applying it to that category doesn't seem to do anything.
Same for filtering by event ID - how do I manage that? Normally you can do it by name (Security, Application, System) and then ID - how can I filter by name/ID while inside ForwardedEvents?
Or do I just have to filter by event ID and then 'drop' by name when it hits logstash? I was hoping to do this all from the winlogbeat config side but wherever works, I guess!
Thanks,
-Brian