Winlogbeat and drop_event filter

kernelpanic · April 11, 2017, 1:53pm

Hello all, I've configured winlogbeat to collect events from one of our domain controllers, there is a particular service account that generates thousands of successful authentication events each day and we're not interested in collecting those events. I therefore tried to create a filter that would drop those event IDs with that particular account as the target username (we'll call the account 'test-user' in this example). Here is the processor filter I added to the winlogbeat.yml file:

processors:
- drop_event:
    when:
      equals:
        event_id: 4624
      and:
       - equals:
          event_data.TargetUserName: test-user
        
- drop_event:
    when:
      equals:
        event_id: 4634
      and:
       - equals:
          event_data.TargetUserName: test-user
        
- drop_event:
    when:
      equals:
        event_id: 4625
      and:
       - equals:
          event_data.TargetUserName: test-user
        
- drop_event:
    when:
      equals:
        event_id: 4648
      and:
       - equals:
          event_data.TargetUserName: test-user

However, when I run a query for those event IDs it appears that they've all been dropped, not just the ones with the 'test-user' in the message.

Can anyone help?

andrewkroh · April 11, 2017, 2:56pm

So if I understand correctly you want to drop events when:

(event_id == "4624" OR event_id == "4625" OR event_id == "4634" OR event_id == "4648") && (event_data.TargetUserName == "test-user")

which translates to:

processors:
- drop_event:
    when:
      and:
      - or:
        - equals.event_id: 4624
        - equals.event_id: 4625
        - equals.event_id: 4634
        - equals.event_id: 4648
      - equals.event_data.TargetUserName: test-user

kernelpanic · April 11, 2017, 2:29pm

Yes, that's correct, thank you very much.

I thought it may have to be done they way you've specified - can you elaborate on the 'and:' and 'or:' order as it confuses me the way its written - in mind when I read your example the 'and:' is associated with equals.event_id: and the 'or:' is associated with equals.event_data.TargetUserName:

Do the hyphens associate the condition with the field?

Thanks.

andrewkroh · April 11, 2017, 3:16pm

If you are familiar with prefix notation you might recognize the pattern used here. The operators are written before the operands.

So the outer most operator is AND so it goes first. The expressions that are being AND'ed are next. These are the OR expression and the TargetUserName expression.

AND
- (OR 4624 4625 4634 4648)
- (test-user)

The other thing to understand is that the configuration is YAML and that is where the hyphens and indentation are coming from. Maybe showing the equivalent representation in JSON will make more sense (assuming some familiarity with JSON). BTW the following is also valid config as YAML is superset of JSON.

processors: [
    {
      "drop_event": {
        "when": {
          "and": [
            {
              "or": [
                {
                  "equals.event_id": 4624
                },
                {
                  "equals.event_id": 4625
                },
                {
                  "equals.event_id": 4634
                },
                {
                  "equals.event_id": 4648
                }
              ]
            },
            {
              "equals.event_data.TargetUserName": "test-user"
            }
          ]
        }
      }
    }
  ]

kernelpanic · April 11, 2017, 2:59pm

Thats great, I think I'm getting my head round it now, thanks once again.

system · May 9, 2017, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.