Winlogbeat "event_id" filter does not seem to be working

Elastic Stack Beats
1

Hello, it seems the event_id filtering is not working for me. Instead, Winlogbeat just sends all events available in the evtx files to the elastic stack.
The buildhash of winlogbeat is "6f0ec01a0e57fe7d4fd703b017fb5a2f6448d097".
I am not running Winlogbeat as a service, because it want to test it first

winlogbeat.registry_file: C:/Winlogbeat/.winlogbeat.yml
winlogbeat.event_logs:
  - name: "C:/PROJECTS/BASERD01/System.evtx"
    event_id: 1074, 7045 # 1074 #, "7034", "7045" ]  
      # 1074 => shutdowns/restarts
      # 7034 => a service crashed
      # 7045 => a new service was created
  - name: "C:/PROJECTS/BASERD01/Security.evtx"
    event_id: 4697
      # service created


setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: "http://192.168.255.60:5601"

output.elasticsearch:
  hosts: ["192.168.255.60:8081"]
  protocol: "http"

When I check the configuration file, everything seems to be ok:

.\winlogbeat.exe test config
Config OK

Running Winlogbeat with the above shown config reveals this:

 .\winlogbeat.exe -c .\winlogbeat.yml -e


2019-08-15T09:25:11.511+0200    INFO    instance/beat.go:606    Home path: [C:\\\r\\nWinlogbeat] Config path: [C:\\\r\\nWinlogbeat] Data path: [C:\\\r\\nWinlogbeat\data] Logs path:         [C:\\\r\\nWinlogbeat\logs]
2019-08-15T09:25:11.512+0200    INFO    instance/beat.go:614    Beat ID: 61af2bb3-c52b-4b2e-8cbc-5906a8d85ed2
2019-08-15T09:25:11.512+0200    INFO    [beat]  instance/beat.go:902    Beat info       {"system_info": {"beat": {"path": {"config": "C:\\\\r\\n\Winlogbeat", "data": "C:\\\\r\\n\Winlogbeat\\data", "home": "C:\\\\r\\n\Winlogbeat", "logs": "C:\\\\r\\n\Winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "61af2bb3-c52b-4b2e-8cbc-5906a8d85ed2"}}}
2019-08-15T09:25:11.513+0200    INFO    [beat]  instance/beat.go:911    Build info      {"system_info": {"build": {"commit": "6f0ec01a0e57fe7d4fd703b017fb5a2f6448d097", "libbeat": "7.3.0", "time": "2019-07-24T17:45:51.000Z", "version": "7.3.0"}}}
2019-08-15T09:25:11.513+0200    INFO    [beat]  instance/beat.go:914    Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.12.4"}}}
2019-08-15T09:25:11.562+0200    INFO    [beat]  instance/beat.go:918    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-08-15T03:14:46.32+02:00","name":"DESKTOP-2QRFRSP","ip":["fe80::6c99:623c:3d21:c1af/64","169.254.193.175/16","fe80::d0bb:67c5:c025:b297/64","169.254.178.151/16","fe80::5dcc:54e9:eb80:d32b/64","169.254.211.43/16","fe80::19c7:aa39:c9cd:2ec6/64","169.254.46.198/16","192.168.200.1/24","192.168.255.1/24","fe80::b8f8:4fad:20d7:a97b/64","10.154.76.46/16","fe80::d802:4de6:e241:eeb0/64","169.254.238.176/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.18362.295 (WinBuild.160101.0800)","mac":["54:e1:ad:c2:b7:db","44:03:2c:a0:b1:54","46:03:2c:a0:b1:53","00:50:56:c0:00:00","00:50:56:c0:00:01","00:50:56:c0:00:02","44:03:2c:a0:b1:53","44:03:2c:a0:b1:57"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"18362.295"},"timezone":"CEST","timezone_offset_sec":7200,"id":"f11a726e-1434-4be3-9c63-aca07da00b2d"}}}
2019-08-15T09:25:11.566+0200    INFO    [beat]  instance/beat.go:947    Process info    {"system_info": {"process": {"cwd": "C:\\\\r\\n\Winlogbeat", "exe": "C:\\\\r\\n\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 8140, "ppid": 7160, "start_time": "2019-08-15T09:25:11.463+0200"}}}
2019-08-15T09:25:11.566+0200    INFO    instance/beat.go:292    Setup Beat: winlogbeat; Version: 7.3.0
 2019-08-15T09:25:11.566+0200    INFO    [index-management]      idxmgmt/std.go:178      Set output.elasticsearch.index to 'winlogbeat-7.3.0' as ILM is enabled.
 2019-08-15T09:25:11.567+0200    INFO    elasticsearch/client.go:170     Elasticsearch url: http://192.168.255.60:8081
 2019-08-15T09:25:11.567+0200    INFO    [publisher]     pipeline/module.go:97   Beat name: DESKTOP-2QRFRSP
 2019-08-15T09:25:11.567+0200    INFO    beater/winlogbeat.go:69 State will be read from and persisted to C:/FORENSICS/Winlogbeat/.winlogbeat.yml
 2019-08-15T09:25:11.568+0200    INFO    instance/beat.go:421    winlogbeat start running.
 2019-08-15T09:25:11.568+0200    INFO    [monitoring]    log/log.go:118  Starting metrics logging every 30s
 2019-08-15T09:25:12.856+0200    INFO    pipeline/output.go:95   Connecting to backoff(elasticsearch(http://192.168.255.60:8081))
 2019-08-15T09:25:12.860+0200    INFO    elasticsearch/client.go:743     Attempting to connect to Elasticsearch version 7.3.0
 2019-08-15T09:25:12.913+0200    INFO    [index-management]      idxmgmt/std.go:252      Auto ILM enable success.
 2019-08-15T09:25:12.918+0200    INFO    [index-management.ilm]  ilm/std.go:134  do not generate ilm policy: exists=true, overwrite=false
 2019-08-15T09:25:12.918+0200    INFO    [index-management]      idxmgmt/std.go:265      ILM policy successfully loaded.
 2019-08-15T09:25:12.918+0200    INFO    [index-management]      idxmgmt/std.go:394      Set setup.template.name to '{winlogbeat-7.3.0 {now/d}-000001}' as ILM is enabled.
 2019-08-15T09:25:12.918+0200    INFO    [index-management]      idxmgmt/std.go:399      Set setup.template.pattern to 'winlogbeat-7.3.0-*' as ILM is enabled.
 2019-08-15T09:25:12.918+0200    INFO    [index-management]      idxmgmt/std.go:433      Set settings.index.lifecycle.rollover_alias in template to {winlogbeat-7.3.0 {now/d}-000001} as ILM is enabled.
 2019-08-15T09:25:12.918+0200    INFO    [index-management]      idxmgmt/std.go:437      Set settings.index.lifecycle.name in template to {winlogbeat-7.3.0 {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
2019-08-15T09:25:12.924+0200    INFO    template/load.go:88     Template winlogbeat-7.3.0 already exists and will not be overwritten.
2019-08-15T09:25:12.924+0200    INFO    [index-management]      idxmgmt/std.go:289      Loaded index template.
2019-08-15T09:25:12.927+0200    INFO    [index-management]      idxmgmt/std.go:300      Write alias successfully generated.
2019-08-15T09:25:12.931+0200    INFO    pipeline/output.go:105  Connection to backoff(elasticsearch(http://192.168.255.60:8081)) established
2019-08-15T09:25:14.379+0200    INFO    beater/eventlogger.go:76        EventLog[C:\PROJECTS\BASERD01\Security.evtx] successfully published 100 events

[...]
(in this case i stopped, because i got more events than i wanted, and event ids i dont want)
Interesstingly, when i look up the data in Kibana i have event.code filed (not event.id)

2

I found the solution today. had to change to config into something like the following:

winlogbeat.registry_file: C:/Winlogbeat/.winlogbeat.yml
winlogbeat.event_logs:
  - name: "C:/PROJECTS/BASERD01/System.evtx"
    processors:
      - drop_event.when.not.or:
          - equals.event_id: '1074'
          - equals.event_id: '7045'
 
 
setup.template.settings:
  index.number_of_shards: 1
 
setup.kibana:
  host: "http://192.168.255.60:5601"
 
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.255.60:8081"]
  protocol: "http"

but why is the event_id filter not working anymore?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.