Simple Filter - Multiple OR

(James Watson) #1

I have a working filter that is meeting my needs but I'm wondering about the efficiency as it grows. My apologies for the formatting as I'm inexperienced on this forum but my filter is as follows:

filter {
if [type] == "wineventlog" {
if [message] =~ 'CONHOST.EXE' or
[message] =~ 'DLLHOST.EXE' or
[message] =~ 'CHROME.EXE' or
[message] =~ 'TASKHOSTW.EXE' or
[message] =~ 'ACRODIST.EXE' {
drop { }

What I'm trying to accomplish is capture AppLocker events from 10's of 1000's of student computers for security purposes and there is no need to log expected OS/application behavior. I can see needing to add many more [message] =~ lines in the future but I'm concerned that I may be inefficiently re-reading the same message field again and again possibly causing performance issues.

Any suggestions on a recommended way to do this? Or is this already optimized by logstash?

(Magnus B├Ąck) #2

I suggest you extract the filename to a field of its own (e.g. using a grok filter) and use a translate filter to look up the executable name against a table of known good programs. The translate filter can set a field value or a tag if the executable was found in the list and then you can use a conditional to check against that value and drop the event.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.