Trying to setup condition in system.yml file for dropping some event when condition meet
what I want to do it
if this conditions meet drop the event.
( cond1 OR cond2 OR cond3 ) AND ( cond4 OR cond5 )
for example here I want to drop event
if (user=root OR user=nagios ) AND (process.name not like "^http*" OR process.name not like "^weblogic" )
in sort I want to drop process which start with http/weblogic and user is root or nagios
but how ever much different combination I try not working. spended hours on different kind of combination. What am I missing here?
processors:
- drop_event:
when:
or:
equals:
user.name: root
equals:
user.name: nagios
and:
or:
not:
regexp:
process.name: "^http*"
not:
regexp:
process.name: "^weblogic*"
stephenb
July 22, 2021, 8:31pm
2
Agree the complex logic is not easy...
EDIT Take that back your top level boolean operator according to your logic above is the and
More Like this
processors:
- drop_event:
when:
and:
or:
equals:
user.name: root
equals:
user.name: nagios
or:
not:
regexp:
process.name: "^http*"
not:
regexp:
process.name: "^weblogic*"
1 Like
ok finally metricbeat started up. but still condition matching is confusing me. will try it tomorrow as it all seems more complicated at this stage.
I am just trying simple test.
I have java process running as root on system and just trying to get that and drop everything else. but in real machine I will have four more process that I need to get which runs as root
But this is not giving me that java process
root 15326 13993 0 20:45 pts/5 00:01:54 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyF
This setting drops everything from system.
processors:
- drop_event:
when:
or:
- equals:
user.name: root
- equals:
user.name: sachin
- equals:
user.name: kibana
- equals:
user.name: elasticsearch
- equals:
user.name: apm-server
- equals:
user.name: rpc
- equals:
user.name: dbus
and:
or:
- not:
equals:
process.name: java
- not:
equals:
process.name: sachin
stephenb
July 22, 2021, 10:28pm
4
Did You know that you can just specify the processes that you are looking for in the system module see here
Thanks Stephen but I need complicated conditions in feature
here my simple thing is not even working
For example
This works, and only gives me java process running on system.
processors:
- drop_event.when.or:
- not:
equals:
process.name: "java"
As soon as I add anything to it. it stops. following does not give me any process, no output.
but in logic it says
processors:
- drop_event.when.or:
- not:
equals:
process.name: "java"
- not:
equals:
process.name: "apm-server"
working I needed AND in place of OR
1 Like
stephenb
July 23, 2021, 2:44pm
7
Good
Here is how I did it 2 Ways
You need to think highest precedence to the left
This drops everything but these 2 processes is says
Drop When
- drop_event.when.not.or:
- equals.process.name: "Google Chrome H"
- equals.process.name: "com.docker.hype"
Show me yours.... Yes I suspect it looks like this...
Drop When
- drop_event.when.and:
- not.equals.process.name: "Google Chrome H"
- not.equals.process.name: "com.docker.hype"
Which are equivalent
BTW I like the inline short hand better ... easier for me to read.
you right this makes more sense on reading and understanding quickly
processors:
- drop_event.when.and:
- not.regexp.process.name: "java*"
- not.regexp.process.name: "apm-server*"
system
August 20, 2021, 4:53pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
