Winlogbeat filter not working

Hi,

I have installed Winlogbeat 7.6.2 and configured the following filter.

winlogbeat.event_logs:

• name: Application
  event_id: 1000,1002,1001
  ignore_older: 72h
  level: critical, error, warning

• name: System
  event_id: 4740,4728,4732,4756,4735,4724,4625,1102
  ignore_older: 72h
  level: critical, error, warning

• name: DFS Replication
  event_id: 5004,5014,4304,5002
  ignore_older: 72h
  level: critical, error, warning, information

• name: Security
  event_id: 4624, 4625, 4728, 4732, 4756, 4735
  ignore_older: 72h
  processors:

  • drop_event:
    when:
    and:
    - or:
    - equals.winlog.event_id: 4624
    - equals.winlog.event_id: 4634
    - or:
    - equals.winlog.event_data.TargetUserName: 'SYSTEM'
    - regexp.winlog.event_data.TargetUserName: '^SQL.*$'

  • script:
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js

However i am still getting events with username ending with $ and SYSTEM accounts.

Could u please help me out?

hi @Krishna_MS, can you try removing the winlog prefix from the field name and let us know if it worked?
ex:

- equals.event_id: 4624

instead of

- equals.winlog.event_id: 4624

Hi,

I changed to

• equals.event_id: 4624
  - equals.event_id: 4634
  - or:
  - equals.winlog.event_data.TargetUserName: 'SYSTEM'
  - regexp.winlog.event_data.TargetUserName: '^SQL.*$'

I also tried this

• equals.event_id: 4624
  - equals.event_id: 4634
  - or:
  - equals.event_data.TargetUserName: 'SYSTEM'
  - regexp.event_data.TargetUserName: '^SQL.*$'

It is not working. It still logs events with username ending with $

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.