Winlogbeat filter not working

Hi,

I have installed Winlogbeat 7.6.2 and configured the following filter.

winlogbeat.event_logs:

  • name: Application
    event_id: 1000,1002,1001
    ignore_older: 72h
    level: critical, error, warning

  • name: System
    event_id: 4740,4728,4732,4756,4735,4724,4625,1102
    ignore_older: 72h
    level: critical, error, warning

  • name: DFS Replication
    event_id: 5004,5014,4304,5002
    ignore_older: 72h
    level: critical, error, warning, information

  • name: Security
    event_id: 4624, 4625, 4728, 4732, 4756, 4735
    ignore_older: 72h
    processors:

    • drop_event:
      when:
      and:
      - or:
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4634
      - or:
      - equals.winlog.event_data.TargetUserName: 'SYSTEM'
      - regexp.winlog.event_data.TargetUserName: '^SQL.*$'

    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

However i am still getting events with username ending with $ and SYSTEM accounts.

Could u please help me out?

hi @Krishna_MS, can you try removing the winlog prefix from the field name and let us know if it worked?
ex:

- equals.event_id: 4624

instead of

- equals.winlog.event_id: 4624

Hi,

I changed to

  • equals.event_id: 4624
    - equals.event_id: 4634
    - or:
    - equals.winlog.event_data.TargetUserName: 'SYSTEM'
    - regexp.winlog.event_data.TargetUserName: '^SQL.*$'

I also tried this

  • equals.event_id: 4624
    - equals.event_id: 4634
    - or:
    - equals.event_data.TargetUserName: 'SYSTEM'
    - regexp.event_data.TargetUserName: '^SQL.*$'

It is not working. It still logs events with username ending with $

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.