Winlogbeat Filtering Issue

jcor · January 20, 2021, 7:32pm

Hi folks,
I've run into a weird issue. I have two separate clusters. One is my personal lab and the other is a dev lab. I'm trying to drop a specific winlogevent id as sysmon is very noisey and not required for what I am doing.

In my personal lab I am able to drop event X as designed and documented by others. But on the dev cluster, with the same exact syntax winlogbeats does not drop the event id.

I am at a loss, event id 17 wont shut up. I've restarted the services after pushing out new configs and event id 17 is still being shipped. I mirrored the config from the personal lab to match the dev lab and dev lab still was shipping over the wrong data.

Dev Config Below

  winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    #level: critical, error, warning
    ignore_older: 1h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 5145 # Filtering network share object access
          - equals.winlog.event_id: 4656
          - equals.winlog.event_id: 5152 #Packet blocked
          - equals.winlog.event_id: 4658
          - equals.winlog.event_id: 5156 #Triggered very often by both Tanium and Radiant 
          - equals.winlog.event_id: 5158 #local Bind permitted
          - equals.winlog.event_id: 4689 #Process exit
          - equals.winlog.event_id: 4688 #process creation
          - equals.winlog.event_id: 5157 #process creation
          - equals.winlog.event_id: 5447 #process creation
          
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 1h
    processors:
      - drop_event.when.or:
          - equals.winlog.event_id: 17
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Windows PowerShell
    ignore_older: 1h
    event_id: 400, 403, 600, 800
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: Microsoft-Windows-PowerShell/Operational
    ignore_older: 1h
    event_id: 4103, 4104, 4105, 4106
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

Personal Lab Config

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    processors:
      #- drop_event.when.or:
      #    - equals.winlog.event_id: 4624
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - drop_event.when.or: 
          - equals.winlog.event_id: 1
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    processors:
      - script:
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
          when.equals.winlog.channel: Security
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
          when.equals.winlog.channel: Windows PowerShell
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
          when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
          lang: javascript
          id: powershell
          file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

andrewkroh · January 20, 2021, 9:21pm

Try using a string in your config rather than a number. IIRC the winlog.event_id field is a string in the JSON documents so equality matching probably needs the value to be a string.

      - drop_event.when.or: 
          - equals.winlog.event_id: '1'

Additionally if you want to silence noise from Sysmon, consider using a sysmon XML config file so that it never even collects that particular data. It will save you some CPU cycles and disk space.

jcor · January 22, 2021, 3:41pm

So I'll give that a shot next, but do you have any idea why its still sending sysmon if I took out the below config options?

- name: Microsoft-Windows-Sysmon/Operational
    processors:
      - drop_event.when.or: 
          - equals.winlog.event_id: 1
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

and

- script:
          when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

andrewkroh · February 2, 2021, 1:51am

If you removed the winlogbeat.event_logs entry with name: Microsoft-Windows-Sysmon/Operational then it won't read any more Sysmon logs.

system · March 2, 2021, 3:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cant filter out events? Beats winlogbeat	15	869	November 24, 2020
Another Drop Event Beats winlogbeat	5	592	June 8, 2020
Winlogbeat don't collect some event Beats winlogbeat	4	516	February 6, 2020
Winlogbeat - multiple event_id's and processor drop_events Beats winlogbeat	2	133	May 28, 2024
Winlogbeat - drop_event (multiple event ID's with specific rules) Beats winlogbeat	6	1163	November 18, 2020

Winlogbeat Filtering Issue

Related Topics