Auditbeat - Drop events

elastic_bees · April 11, 2018, 8:03am

Hi there,

I'm looking to drop all successful events collected with Auditbeat:
At the end of my yaml file I've put this:
processors:
- drop_event:
when:
auditd.result: "success"

But in Kibana I still can see results auditd.result with the value success.

Any ideas?

Thanks

elastic_bees · April 11, 2018, 9:59am

ok got it,
My syntax was OK but the indentation was bad.......
Now it works.

pierhugues · April 11, 2018, 2:27pm

@elastic_bees Thanks for updating this, the YAML syntax is somewhat error-prone, but we want to make the validations better in upcoming version.

Topic		Replies	Views
Can't drop events from auditbeat Beats auditbeat	3	713	December 8, 2021
Drop event processor not working on Filebeat Beats filebeat	5	462	August 30, 2023
Dropping Events using Winlogbeat Processors Beats winlogbeat	6	1495	November 2, 2018
Dropping events in Auditbeat Beats auditbeat	5	941	April 16, 2020
How to drop events only from specific module Beats filebeat	9	994	December 2, 2020

Auditbeat - Drop events

Related topics