Winlogbeat inop filter with more than 2 lines

Trying to get Winlogbeat to drop logs matching machine account with impersonation level "%%1833" and logon types 3/4.

Winlogbeat will run, but ignore the processor if I have more than 2 conditions. We are running version 7.9.3.

So, this works and the filter is processed:

  • drop_event.when.and:
    • equals.winlog.event_data.ImpersonationLevel: "%%1833" #
    • "$" #Drop Machine Accounts

Winlogbeat runs, but in this version, the filter is ignored:

  • drop_event.when.and:
    • equals.winlog.event_id: 4624
    • equals.winlog.event_data.ImpersonationLevel: "%%1833"
    • equals.winlog.event_data.Logontype: "3"
    • "$" #Drop Machine Accounts

Does anyone know if this is expected behavior? Is there some sort of limit to the number of conditions in a processor?

I see you have winlog.event_data.Logontype, but I think the field is winlog.event_data.LogonType like as seen in 4624(S) An account was successfully logged on. (Windows 10) - Windows security | Microsoft Docs.

Hey, thanks for the reply!

So, I had actually thought about dropping the "equals" and "contains" sections of the fields, as I've seen in other posts, if that's what you're getting at. Our Elastic stack is actually run by a cloud provider and they've mapped their fields in this format, so it works in all other parts of the winlogbeat config with this format.

Winlogbeat runs and all of the other filters work except for this one when it has 3 or more conidtions ANDed together.

Today, we had the provider filter in their Logstash, which works. Now, I'm just curious as to the behavior of Winlogbeat.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.