Winlogbeat removes the event_id of - 4624 and - 4634 in event_logs, but it is still collected when kibana queries data. What else do you need to set up?


winlogbeat

When you configure event_id: -4624, -4634 this should causes Windows to suppress those two security events in the stream it gives to Winlogbeat. It does this by passing an XML query to the Windows API that says which events to ignore. You can check this XML query by enabling debug logging in the config file.

logging.level: debug
logging.selectors: [eventlog]

At startup you'll see the query in the log file output. It should be similar to:

<QueryList>
  <Query Id="0">
    <Select Path="Security">*</Select>
    <Suppress Path="Security">*[System[((EventID=4624 or EventID=4634))]]</Suppress>
  </Query>
</QueryList>

You can test that XML query using the Windows Event Viewer. Create a custom view and paste the query from the log file to the tab labeled "XML". See an example at https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/. Then check to see if 4624 and 4634 are filtered from the custom view.

If you have multiple Winlogbeat instances running double check that they are all setup to filter out these event IDs.

Another option for filtering events is to use a drop_event processor.

processors:
  - drop_event:
      when:
        or: 
          - equals.event_id: 4624
          - equals.event_id: 4634

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.