Hello,
I'm strugling with filtering (drop) of events with certain keywords delivered from winlogbeat (6.2.1 / 6.2.3) to logstash (6.2.1).
Events with this pattern should be droped in Logstash and I know, it would be better not to send it from winlogbeat at all...
"keywords": [
"Überwachung erfolgreich"
],
Sometimes it comes in _source
"_source": {
"tags": [
"beats_input_codec_plain_applied"
],
"keywords": [
"Überwachung erfolgreich"
],
but any filters I tried did not match, just two not working examples
if "berwachung erfolgreich" in [keywords] {
drop { }
}
if [keywords] =~ /^.berwachung erfolgreich./ {
drop { }
}
if "berwachung erfolgreich" in [_source][keywords] {
drop { }
}
This is the full json output from Kibana, slightly anonymized.
{
"_index": "winlogbeat-2018.04.09",
"_type": "doc",
"_id": "2nN4qWIBMz20DaAyNBM6",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"beats_input_codec_plain_applied"
],
"thread_id": 22220,
"opcode": "Info",
"beat": {
"hostname": "Removed",
"name": "Removed",
"version": "6.2.3"
},
"type": "wineventlog",
"@version": "1",
"event_data": {
"TransmittedServices": "-",
"TargetUserSid": "Removed",
"SubjectLogonId": "0x0",
"KeyLength": "0",
"SubjectUserSid": "S-1-0-0",
"SubjectDomainName": "-",
"ProcessName": "-",
"IpPort": "65533",
"AuthenticationPackageName": "Kerberos",
"LogonType": "3",
"IpAddress": "Removed",
"TargetDomainName": "Removed",
"ImpersonationLevel": "%%1840",
"TargetLogonId": "0x6d26036a",
"LmPackageName": "-",
"ProcessId": "0x0",
"LogonGuid": "{Removed}",
"TargetUserName": "Removed",
"LogonProcessName": "Kerberos",
"SubjectUserName": "-"
},
"keywords": [
"Überwachung erfolgreich"
],
"level": "Informationen",
"process_id": 524,
"event_id": 4624,
"computer_name": "DC-REPLACED",
"provider_guid": "{Removed}",
"host": "Removed",
"source_name": "Microsoft-Windows-Security-Auditing",
"task": "Anmelden",
"record_number": "711788280",
"@timestamp": "2018-04-09T08:14:07.995Z",
"log_name": "Security",
"version": 1
},
"fields": {
"@timestamp": [
"2018-04-09T08:14:07.995Z"
]
},
"sort": [
1523261647995
]
}
------------ second version
{
"_index": "winlogbeat-2018.04.09",
"_type": "doc",
"_id": "0fOGqWIB4gPrY0VJkSbQ",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"beats_input_codec_plain_applied"
],
"keywords": [
"Überwachung erfolgreich"
],
"level": "Informationen",
"opcode": "Info",
"event_id": 4624,
"process_id": 584,
"type": "wineventlog",
"beat": {
"hostname": "Removed",
"name": "Removed",
"version": "6.2.1"
},
"provider_guid": "{Removed}",
"computer_name": "Removed",
"thread_id": 5056,
"host": "Removed",
"source_name": "Microsoft-Windows-Security-Auditing",
"@version": "1",
"task": "Anmelden",
"event_data": {
"TransmittedServices": "-",
"TargetUserSid": "Removed",
"SubjectLogonId": "0x0",
"KeyLength": "0",
"SubjectUserSid": "S-1-0-0",
"SubjectDomainName": "-",
"ProcessName": "-",
"IpPort": "49216",
"AuthenticationPackageName": "Kerberos",
"LogonType": "3",
"LmPackageName": "-",
"TargetDomainName": "Removed",
"IpAddress": "Removed",
"TargetLogonId": "0xa46c7b68",
"ProcessId": "0x0",
"TargetUserName": "Removed",
"LogonGuid": "{2338B7DD-65B0-3DEC-5787-ABDCAAA843EC}",
"LogonProcessName": "Kerberos",
"SubjectUserName": "-"
},
"record_number": "744583588",
"@timestamp": "2018-04-09T08:29:48.865Z",
"log_name": "Security"
},
"fields": {
"@timestamp": [
"2018-04-09T08:29:48.865Z"
]
},
"sort": [
1523262588865
]
}