Winlogbeat Filtering Issue

jcor · January 20, 2021, 7:32pm

Hi folks,
I've run into a weird issue. I have two separate clusters. One is my personal lab and the other is a dev lab. I'm trying to drop a specific winlogevent id as sysmon is very noisey and not required for what I am doing.

In my personal lab I am able to drop event X as designed and documented by others. But on the dev cluster, with the same exact syntax winlogbeats does not drop the event id.

I am at a loss, event id 17 wont shut up. I've restarted the services after pushing out new configs and event id 17 is still being shipped. I mirrored the config from the personal lab to match the dev lab and dev lab still was shipping over the wrong data.

Dev Config Below

  winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    #level: critical, error, warning
    ignore_older: 1h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 5145 # Filtering network share object access
          - equals.winlog.event_id: 4656
          - equals.winlog.event_id: 5152 #Packet blocked
          - equals.winlog.event_id: 4658
          - equals.winlog.event_id: 5156 #Triggered very often by both Tanium and Radiant 
          - equals.winlog.event_id: 5158 #local Bind permitted
          - equals.winlog.event_id: 4689 #Process exit
          - equals.winlog.event_id: 4688 #process creation
          - equals.winlog.event_id: 5157 #process creation
          - equals.winlog.event_id: 5447 #process creation
          
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 1h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 17
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Windows PowerShell
    ignore_older: 1h
    event_id: 400, 403, 600, 800
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: Microsoft-Windows-PowerShell/Operational
    ignore_older: 1h
    event_id: 4103, 4104, 4105, 4106
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

Personal Lab Config

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    processors:
      #- drop_event.when.or:
      #    - equals.winlog.event_id: 4624
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - drop_event.when.or: 
          - equals.winlog.event_id: 1
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Security
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

andrewkroh · January 20, 2021, 9:21pm

Try using a string in your config rather than a number. IIRC the winlog.event_id field is a string in the JSON documents so equality matching probably needs the value to be a string.

      - drop_event.when.or: 
          - equals.winlog.event_id: '1'

Additionally if you want to silence noise from Sysmon, consider using a sysmon XML config file so that it never even collects that particular data. It will save you some CPU cycles and disk space.

jcor · January 22, 2021, 3:41pm

So I'll give that a shot next, but do you have any idea why its still sending sysmon if I took out the below config options?

- name: Microsoft-Windows-Sysmon/Operational
    processors:
      - drop_event.when.or: 
          - equals.winlog.event_id: 1
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

and

- script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

andrewkroh · February 2, 2021, 1:51am

If you removed the winlogbeat.event_logs entry with name: Microsoft-Windows-Sysmon/Operational then it won't read any more Sysmon logs.

system · March 2, 2021, 3:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.