Winlogbeat doesn't drop events

h49nakxs · May 4, 2023, 1:09pm

Hi there,

How the hell are we supposed to configure winlogbeats (ecs.version : 1.6.0) to drop events ?
I've tried, many, many variations, but none of them worked.

  - name: Security
    processors:
      - drop_event.when.or:
        - equals.winlog.event_id: 5152

It doesn't work.

  - name: Security
    processors:
      - drop_event.when.and:
        - equals.winlog.event_id: 5152

Does not work.

  - name: Security
    processors:
      - drop_event.when:
          and:
            - equals:
                winlog.event_data.EventId: 5152

Does not work.

  - name: Security
    processors:
      - drop_event.when.or:
        - equals.event_code: 5152

Does it work ? No.

  - name: Security
    processors:
      - drop_event.when.or:
        - equals.winlog_event_id: 5152

No.

 - name: Security
   processors:
    - drop_event.when.and:
       - equals.event_id: 5152

Guess what ? It doesn't work.

 - name: Security
   processors:
    - drop_event.when.and:
       - equals.event_id: '5152'

No luck.

  - name: Security
    processors:
      - drop_event.when.and:
        - equals:
          event.code: 5152

Winlogbeat doesn't even start.

Thanks

mazoutte · May 4, 2023, 2:40pm

Hello,

You must simple quote the event_id number. On all your tests, you didn't try this (simple quotes + or statement ) :

   processors:
    - drop_event.when.or:
       - equals.winlog.event_id: '5152'

The "or" will give the opportunity to add more events to be dropped that way.

   processors:
    - drop_event.when.or:
       - equals.winlog.event_id: '5152'
       - equals.winlog.event_id: '5153'

andrewkroh · May 4, 2023, 3:30pm

ECS event.code and Winlogbeat's winlog.event_id are both strings.

The equals conditions only matches when the data types are the same. So like @mazoutte said, add quotes to the value to make it a string.

- drop_event:
    when:
      or:
        - equals.event.code: '4124'
        - equals.event.code: '4126'

h49nakxs · May 9, 2023, 11:54am

OK, thank you very much for both your answers.
Sorry for the harsh tone of my initial post, I was a bit frustrated...

Devdem · May 10, 2023, 1:08pm

Oh my gosh, this is exactly why mine weren't being filtered! I totally felt and shared your frustration in the first post. Thanks for helping me out in turn!

system · June 7, 2023, 3:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.