Hello! Just want to filter some useless logs from auditbeat. Try this config at auditbeat.yml:
- module: system
processors:
- drop_event:
when:
equals:
event.action: "network_flow"
- drop_event:
when:
equals:
event.action: "logged-in"
It succesfully drop "network_flow" events, but I still received "logged-in" events. What am I doing wrong?
"logged-in" or "logged_in" ?
and is that the actual value in the event.action field?
Otherwise looks good, what happens if you reverse the order (which should not matter) or just use the 2nd drop_event.
You know sometimes I get tired of all the indents... this should work as well
processors:
- drop_event.when.equals.event.action: "network_flow"
Problem was with .yml syntax. proceessors block should begin from left side without space. It's work for me:
processors:
- drop_event:
when:
or:
- equals:
event.action: "negotiated-crypto-key"
- equals:
event.action: "disposed-credentials"
- equals:
event.action: "started-session"
- equals:
event.action: "acquired-credentials"
- equals:
event.action: "authenticated"
- equals:
event.action: "started-crypto-session"
- equals:
event.action: "was-authorized"
- equals:
event.action: "logged-in"
- equals:
event.action: "logged-out"
- equals:
event.action: "changed-login-id-to"
- equals:
event.action: "ended-session"
- equals:
event.action: "executed"
- equals:
event.action: "error"
- equals:
event.action: "refreshed-credentials"
- equals:
event.action: "opened-file"
- equals:
event.action: "existing_user"
- equals:
event.action: "existing_package"
- equals:
event.action: "loaded-firewall-rule-to"
- equals:
event.action: "violated-apparmor-policy"
- equals:
event.action: "violated-seccomp-policy"
- equals:
event.action: "changed-promiscuous-mode-on-device"
- equals:
event.action: "wrote-to-file"
- equals:
process.executable: "/usr/sbin/chronyd"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.