Hi,
I have installed Winlogbeat 7.6.2 and configured the following filter.
winlogbeat.event_logs:
-
name: Application
event_id: 1000,1002,1001
ignore_older: 72h
level: critical, error, warning -
name: System
event_id: 4740,4728,4732,4756,4735,4724,4625,1102
ignore_older: 72h
level: critical, error, warning -
name: DFS Replication
event_id: 5004,5014,4304,5002
ignore_older: 72h
level: critical, error, warning, information -
name: Security
event_id: 4624, 4625, 4728, 4732, 4756, 4735
ignore_older: 72h
processors:-
drop_event:
when:
and:
- or:
- equals.winlog.event_id: 4624
- equals.winlog.event_id: 4634
- or:
- equals.winlog.event_data.TargetUserName: 'SYSTEM'
- regexp.winlog.event_data.TargetUserName: '^SQL.*$' -
script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
-
However i am still getting events with username ending with $ and SYSTEM accounts.
Could u please help me out?