The title pretty much says it all. I am trying to figure out if there is a way to make my winlogbeat config conditions case insensitive so when I want to exclude something for lets say a file path, I do not have to add a different exclusion for Windows\folder, windows\folder, WINDOWS\folder, etc..
Any help would be greatly appreciated.
Do you have an example of your existing conditions that you can share? If you use a rexexp condition you can make it case-insensitive.
- drop_event:
when.regexp.message: '(?i)windows'
Is there any performance impact using regex? Here is an example:
- drop_event.when.or:
- contains.process.command_line: 'C:\windows\scriptfolder\'
This works great until the command line contains C:\Windows\scriptfolder\ instead.
Hard to say what the difference would be without measuring. In the overall time of processing an event the time difference is likely a minuscule slice.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.