Okay I have looked around and found different iterations of a solution. However I am running into a road block, the winlogbeats (below) are not dropping the events for that targetusername or even the event ID. All logs are still being processed into my stream/sidecar
Here is the winlogbeat I have used (does not work)
For an "OR" operator, you need to provide 2 operands to compare between. In case of username, you are using OR but only one operand is present and is not a valid logical operation.
If I understand correctly, you essentially want to perform AND operation on "pcuser01" and one of those 3 event_id values ? If yes, then you do not need the "OR" operator for the username field and equality check can be put directly under AND.
I think I was looking at this wrong. I decided to only ingest what I am looking to see. but also add filtering. Here is what I am doing but I want to remove the noise from the registry that is associated to the logins for windows (EVENT 4657). I tried layering winlogbeat configurations but I still got thousands of logs haha.