Winlogbeat filter

8c8459cec5b62e5054b6 · July 19, 2018, 2:58pm

Hey
Please help.
The boss set the task to configure logging of events of deletion, creation, modification and files on the file server.
The ELK server is set up, it's time to install winlogbeeat on the file server and configure the transfer of the necessary events. Made configure winlogbeat, events are sent to the server ELK, but the events of too much and too much junk. I picked a few event_id, set up fee only them, but the events still a lot to have found out some required parameters event_data.AccessMask that I need. I'm trying to set up filtering by the event_data parameter.Access Mask unfortunately does not work filtering. Help please

winlogbeat.event log:
  - name: security
    event code: 4656, 4663

you need to filter all event_data.Access Mask other than as below.
event_data.Access Mask,
0x10000
0x20
0x4
0x2
0x40
Help please

andrewkroh · July 19, 2018, 9:26pm

You can you a drop_event process to drop events that do not match your condition.

winlogbeat.event log:
- name: security
  event code: 4656, 4663
  processors:
  - drop_event:
      when.not.or:
        - equals.event_data.AccessMask: '0x10000'
        - equals.event_data.AccessMask: '0x20'
        - equals.event_data.AccessMask: '0x4'
        - equals.event_data.AccessMask: '0x2'
        - equals.event_data.AccessMask: '0x40'

system · August 16, 2018, 9:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.