Try to take only log from on application

Roms · May 12, 2020, 3:27pm

Hello everyone,

I can catch every log from the computer but I just want the log from one application. I try to make that with the processors on Winlogbeat.

It's is possible ?
Did I have to do that with a filter on Logstash ?

Here it's what I catch with the logbeat.

Actualy It's what I have from the cmd line:

Exiting: error initializing processors: failed to initialize condition: missing or invalid condition

And here is my Winlogbeat processors

    processors:
    - include_fields:
        when:
          winlog.event_data.ProcessName: 'C:\Program Files (x86)\Microsoft Dynamics NAV\110\RoleTailored Client\Microsoft.Dynamics.Nav.Client.exe'
        fields: [message, winlog.event_data.ProcessName, winlog.event_data.SubjectUserName]

Kind of regards.
Romain

PS: I'm sorry for my english skill

jsoriano · May 12, 2020, 9:05pm

Hey @Roms,

One thing you can do is to filter out all events you are not interested in, for example with something like this:

processors:
  - drop_event:
      when:
        equals.winlog.event_data.ProcessName: 'C:\Program Files (x86)\Microsoft Dynamics NAV\110\RoleTailored Client\Microsoft.Dynamics.Nav.Client.exe'

mazoutte · May 13, 2020, 10:18am

Hello,

I'm using this configuration on the winlogbeat agent to send specific events (4624 and 4625) generated by an application (Azure AD Connect PTA agent).
I'm using a drop_event processor.

This will drop every collected events that are not sent by my application.

winlogbeat.event_logs:
  - name: Security
    ignore_older: 24h
    event_id: 4624,4625

processors:
- drop_event.when.not.equals.winlog.event_data.ProcessName: 'C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe'

Regards,

Roms · May 13, 2020, 11:44am

Hey everyone,

Thank you for your answers.
I have already tried @jsoriano solution.
I'll see if your proposal could also work with my problem. (event_id and the ignore_older)
I managed to get what I wanted in Kiabana by using KQL and isolating the logs. Which seems to be enough for what we're doing.

My only fear is that I'll end up with a log overflow.

I thank you for your answer the topic can be closed.

system · June 10, 2020, 11:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.