Skip to main content
Solved

Cribl Edge XPath Filtering Not Working For Windows Log Ingestion

  • April 21, 2026
  • 18 replies
  • 3 views
P
This message originated from Cribl Community Slack.
Click here to view the original link.

Does anyone know if Cribl Edge can handle xpath filtering on the windows log ingestion side? IE I can feed it the xpath that I want for logs and it honors that

Best answer by Jon Rust

Edge WEL source collects by channel/log, then filters downstream in Cribl using Cribl's standard functions and JS interactions

18 replies

Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • Answer
  • April 21, 2026
Edge WEL source collects by channel/log, then filters downstream in Cribl using Cribl's standard functions and JS interactions
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
No XPATH that I'm aware of
P
Ahh Ok, so best practice is to collect it all edge, send it to stream and then drop events out of the stream that are not required
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
if the filters are simple, and you really don't care about the evnt, there is benefit to dropping at Edge. Namely, it doesn’t count against your Cribl license.
S
I've got some custom code functions that "simulate" our subscription XML.
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
you can use pipelines in Edge, very similar to Stream. But don't go nuts wiht giant regex, etc or you risk impacting CPU too much
S
Put em right in an Edge pipeline so it's all done client-side.
S
Lol, what @user said.
S
@user, I could share enough of that code function with you to get the gist. It's pretty lightweight.
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
I like the idea of an allow-list on the Edge side. A lookup file with the event IDs you want to allow. Everything else gets dropped... or dumped to object storage just in case.
P
got it, so go super heavy with code and cpu intensive operations on the edge, and then blame cribl for it and never accept that i caused the issue lol
P
@user if you could share that’d be great
S


Links for this message:
image.png
P
Thanks, much appreciated!
S
That's just the setup... Here's the code for our (raw) Security events (with some [...] for obfuscation because you know, security): 
const eid = __e.Id;

/* =========================
   SIMPLE EVENT ID MATCHES
   ========================= */

const basicEvents = [
  5632, 4697, 4778, 4779, 4616,
  1100, [...]
].includes(eid);

/* =========================
   LOGON / LOGOFF LOGIC
   ========================= */

const logonEvents =
  eid === 4624 &&
  __e.LogonType !== '3' &&
  __e.LogonType !== '5';

const logoffEvents =
  eid === 4634 &&
  __e.LogonType !== '3';

[...]

/* =========================
   SHARE / DEVICE / TASKS
   ========================= */

const shareAccess =
  eid === 5140 &&
  __e.ShareName !== '\\\\*\\IPC$' &&
  __e.ShareName !== '\\\\*\\NetLogon';

[...]

/* =========================
   ACCOUNT / GROUP / AUTH
   ========================= */

const accountChanges =
  [4723, 4738, 4740, 4767].includes(eid);

[...]

/* =========================
   FINAL DECISION
   ========================= */

__e.allowed =
  basicEvents ||
  logonEvents ||
  logoffEvents ||
  failedLogon ||
  serviceLogon ||
  shareAccess ||
  adminGroupRemoval ||
  deviceNetClass ||
  scheduledTasks ||
  accountChanges ||
  groupChanges ||
  kerberos ||
  firewall ||
  eventlogProvider;
S
I chose that route over lookups since we're not just filtering on EventIDs and didn't want to get into crazy lookup sprawl.
S
Each event comes out of its respective Code function (steps 3 or 4) with the new field, allowed, which is then dropped if false (step 5).
Jon Rust
Forum|alt.badge.img
  • Jon Rust
  • Employee
  • April 21, 2026
nifty!
Terms & ConditionsAccessibility statement