Hi,
Trying to filter out some spam generated by auditbeat using a processor but it looks like, depending on how/where I set it up in the yml, it either completely ignores the processor, or stops processing events all together...
"auditbeat test config -c auditbeat.yml" says it's OK.
My processor:
processors:
- add_host_metadata: ~
- drop_event:
- when:
or:
- equals.process.name: "auditbeat"
- equals.event.action: "violated-seccomp-policy"
The indentation looks off. or should be nested under when.
processors:
- add_host_metadata:
- drop_event:
- when:
or:
- equals.process.name: auditbeat
- equals.event.action: violated-seccomp-policy
Hi,
This is also wrong. And I played with it to try many other things but no matter what I try I either completely stop getting any output (except heartbeat), or I get an error for the processor.
Also I should point out that different places specify a different syntax. (example: the guide, compared to your comment)
Which given how much of a special snowflake delicate little yaml is, doesn't help.
Are we sure processors actually work in AuditBeat ?
Edit:
Ok so after more messing around, I decided the thing I should have done from the start.
I simplified it to just the one condition with the process.name, and wrote it EXACTLY like the example in the guide (rather than the one here), and this finally worked.
(I actually copy-pasted the thing and changed only the "http.code" part of the example)
Wow. my dislike for yaml is very strong.
Edit #2, for those interested from future-land, I did this:
processors:
- add_host_metadata: ~
- drop_event:
when:
equals:
process.name: auditbeat
This was enough to stop all the auditbeat records of itself (which were themselves the seccomp ones anyways so no second filter was requried for that)
I see the error in my previous post. I had made the contents of drop_event an array by including a - before the when.
processors:
- add_host_metadata:
- drop_event:
when:
or:
- equals.process.name: auditbeat
- equals.event.action: violated-seccomp-policy
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.