Two Graylog Pipeline rules for filtering Windows Eventlogs by the EventID field. The first method is done through defining a list of EventIDs to route to another stream (Allow list). The second method is defining the EventIDs that should not be routed to another stream (Drop list). Prior to these two routing rules another is used to override the SourceModuleName to match SIEM Parser requirements.
- Events are ingested into the win_event_all Stream
- Two Pipelines run:
- win_event_allow
- win_event_drop
Both pipelines run the set_source_module_name rule at stage 0. Other pipeline rules can be included here.
- The win_event_allow pipeline stage 1 rule win_event_allow_list defines the EventIDs that should be routed to the win_event_allowed Stream
- The win_event_drop pipeline stage 1 rule win_event_drop_list defines the EventIDs that should not be routed to the win_event_dropped Stream
3 Streams:
- win_event_all - Windows Events from "gelf_tcp" Input
- win_event_allowed - Windows Events allowed from win_event_allow_list Pipeline rule
- win_event_dropped - Windows Events not dropped from win_event_drop_list Pipeline rule
win_event_all Stream Rule:
2 Pipelines:
3 Pipeline rules:
Pipeline win_event_allow:
Pipeline win_event_drop:
