收集安全日志,删除TargetUserName为计算机名称的事件
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: AD1901
fields.gl2_source_collector: 1d7f1a6b-3498-42dc-99ac-b898ad88cb88
output.logstash:
hosts: ["10.10.20.7:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Security
ignore_older: 24h
processors:
- drop_event:
when:
regexp:
winlog.event_data.TargetUserName: '.*\$'
收集安全日志,删除TargetUserName为计算机名称的、名为HealthMailbox开头、名为SYSTEM的事件
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["10.10.20.7:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Security
ignore_older: 24h
processors:
- drop_event:
when:
or:
- regexp:
winlog.event_data.TargetUserName: '.*\$' #此为过滤掉计算机名
- regexp:
winlog.event_data.TargetUserName: 'HealthMailbox*'
- equals:
winlog.event_data.TargetUserName: 'SYSTEM'
以下参考:
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["graylog:5044"]
winlogbeat.event_logs:
- name: Application
level: critical, error, warning
ignore_older: 48h
- name: Security
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 141
- equals.event_id: 1102
- equals.event_id: 4648
- equals.event_id: 4657
- equals.event_id: 4688
- equals.event_id: 4697
- equals.event_id: 4698
- equals.event_id: 4720
- equals.event_id: 4738
- equals.event_id: 4767
- equals.event_id: 4728
- equals.event_id: 4732
- equals.event_id: 4634
- equals.event_id: 4735
- equals.event_id: 4740
- equals.event_id: 4756
level: critical, error, warning, information
ignore_older: 48h
- name: System
processors:
- drop_event.when.not.or:
- equals.event_id: 129
- equals.event_id: 1022
- equals.event_id: 1033
- equals.event_id: 1034
- equals.event_id: 4624
- equals.event_id: 4625
- equals.event_id: 4633
- equals.event_id: 4719
- equals.event_id: 4738
- equals.event_id: 7000
- equals.event_id: 7022
- equals.event_id: 7024
- equals.event_id: 7031
- equals.event_id: 7034-7036
- equals.event_id: 7040
- equals.event_id: 7045
level: critical, error, warning
ignore_older: 48h
winlogbeat:
event_logs:
- name: Application
level: critical, error, warning
ignore_older: 72h
- name: System
level: critical, error, warning
- name: Security
processors:
- drop_event.when:
- contains.winlogbeat_winlog_event_data_SubjectUserName: ${sidecar.nodeName}
level: critical, error, warning, information
- name: Security
processors:
- drop_event.when:
and:
- equals.winlog.event_id: "7234"
- equals.winlog.event_data.TargetUserName: "user-admin-batman"
- regexp.winlog.event_data.ProcessName: 'university\.checkhash\.exe$'
processors:
- drop_event.when.or:
- and:
- equals.winlog.event_id: 4624
- equals.winlog.event_data.TargetUserName: 'SYSTEM'
- and:
- equals.winlog.event_id: 4672
- or:
- equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
- regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
- and:
- equals.winlog.event_id: 9999
- or:
- equals.winlog.event_data.SubjectUserName: 'LOCAL SERVICE'
- regexp.winlog.event_data.SubjectUserSid: '^S-1-5-21.*'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-20'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'