Can't drop events from auditbeat

sadux · November 2, 2021, 11:31am

Hello! Just want to filter some useless logs from auditbeat. Try this config at auditbeat.yml:

- module: system
  processors:
    - drop_event:
        when:
          equals:
            event.action: "network_flow"
    - drop_event:
        when:
          equals:
            event.action: "logged-in"

It succesfully drop "network_flow" events, but I still received "logged-in" events. What am I doing wrong?

stephenb · November 2, 2021, 4:29pm

"logged-in" or "logged_in" ?

and is that the actual value in the event.action field?

Otherwise looks good, what happens if you reverse the order (which should not matter) or just use the 2nd drop_event.

You know sometimes I get tired of all the indents... this should work as well

  processors:
    - drop_event.when.equals.event.action: "network_flow"

sadux · November 10, 2021, 10:52am

Problem was with .yml syntax. proceessors block should begin from left side without space. It's work for me:

processors:
    - drop_event:
        when:
          or:
            - equals:
                event.action: "negotiated-crypto-key"
            - equals:
                event.action: "disposed-credentials"
            - equals:
                event.action: "started-session"
            - equals:
                event.action: "acquired-credentials"
            - equals:
                event.action: "authenticated"
            - equals:
                event.action: "started-crypto-session"
            - equals:
                event.action: "was-authorized"
            - equals:
                event.action: "logged-in"
            - equals:
                event.action: "logged-out"
            - equals:
                event.action: "changed-login-id-to"
            - equals:
                event.action: "ended-session"
            - equals:
                event.action: "executed"
            - equals:
                event.action: "error"
            - equals:
                event.action: "refreshed-credentials"
            - equals:
                event.action: "opened-file"
            - equals:
                event.action: "existing_user"
            - equals:
                event.action: "existing_package"
            - equals:
                event.action: "loaded-firewall-rule-to"
            - equals:
                event.action: "violated-apparmor-policy"
            - equals:
                event.action: "violated-seccomp-policy"	
            - equals:
                event.action: "changed-promiscuous-mode-on-device"
            - equals:
                event.action: "wrote-to-file"
            - equals:
                process.executable: "/usr/sbin/chronyd"

system · December 8, 2021, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.