Auditbeat - Drop events

elastic_bees · April 11, 2018, 8:03am

Hi there,

I'm looking to drop all successful events collected with Auditbeat:
At the end of my yaml file I've put this:
processors:
- drop_event:
when:
auditd.result: "success"

But in Kibana I still can see results auditd.result with the value success.

Any ideas?

Thanks

elastic_bees · April 11, 2018, 9:59am

ok got it,
My syntax was OK but the indentation was bad.......
Now it works.

pierhugues · April 11, 2018, 2:27pm

@elastic_bees Thanks for updating this, the YAML syntax is somewhat error-prone, but we want to make the validations better in upcoming version.

Topic		Replies	Views
Can't drop events from auditbeat Beats auditbeat	3	764	December 8, 2021
Dropping events in Auditbeat Beats auditbeat	5	1021	April 16, 2020
Auditbeat processor ignores drop_event Beats auditbeat	4	592	February 22, 2022
Filebeat.yml drop event not working Beats filebeat	3	850	October 15, 2020
Drop_event does NOT work Beats metricbeat	2	378	May 24, 2019

Auditbeat - Drop events

Related topics