This post is a continuation of https://discuss.elastic.co/t/winlogbeat-7-13-0-expected-int-but-got-type-string-in-equals-condition/274273/3, which didn't produce a complete solution for me. With the change of data type for event.code and winlog.event_id from integer to keyword in version 7.13, it would seem that the range condition can no longer be used to drop events by ID, such as:.
- name: Security
ignore_older: 336h
processors:
##
## These are the events that I want to keep
##
- drop_event.when.not.or:
- range.winlog.event_id: { gte: 1100, lte: 4609 }
- equals.winlog.event_id: "4616"
- range.winlog.event_id: { gte: 4624, lte: 4625 }
I noticed that I was receiving warnings for the range conditions when I ran winlogbeat that it "found a string when it was expecting an integer". I thought the warnings were benign. I've now discovered that the event IDs in the range expressions are being dropped instead of being allowed through. Can the range condition no longer be used and I now have to explicitly use an equals or contains condition for each individual event ID that I want to keep? Surely there is a better way. A response or solution is greatly appreciated.