Drop_event filter

Elastic Stack Beats
1

I have following filter in system.yml file and working fine

dropping event if username is root or ntp or process has myjob.* pattern.

  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root
           - equals:
               user.name: ntp
           - regexp:
               process.name: "myjob.*"

I want to add one more condition

drop event
if user = root or ntp or regexp (process.name = myjob.* and not drop if regexp(process.name = sachin.*

I try following but not working. what am I missing?

  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root
           - equals:
               user.name: ntp
           - regexp:
               process.name: "myjob.*"
           not:
           - regexp:
              process.name: "sachin.*"
2

I just used this but not getting anything

  processors:
     - drop_event:
         when:
           not:
             equal:
               process_fullname: "sachin-dev.service.31746"
3

I remove all the processor and make sure I have that event. and yes I do

then use different condition. like
process.name =

but seems like I am not placing NOT at correct place

4

please help if anyone has ever use this kind of expression.

5

further more testing debugging still not getting what I want

two individual processors works

  1. drops all event which has user.name = root
  processors:
     - drop_event:
         when:
           or:
           - equals:
               user.name: root
  1. drop all event which has no process.name=sachin-gateway
  processors:
     - drop_event:
         when:
           not:
             equals:
               process.name: sachin-gateway

how do I combine them so all process with user.name=root drop except process.name=sachin-gateway

I try many different method none works.

this one drops all process with user.name=root

  processors:
     - drop_event:
         when:
           and:
             equals.user.name: root
             not.equals.process.name: sachin-gateway.pr
6

alright this works


  processors:
    - drop_event.when.and:
        - equals.user.name: root
        - not.equals.process.name: sachin-gateway

but I want to add or condition with this to drop

user.name = zabbix or user.name = postfix or user.name=statd etc...

basically something like this

drop_event when:
( username=root and NOT process.name=sachin.gateway) or (username=nscd or username=postfix or username=xyz)

7

Alright fixed it.

just incase if someone had same issue

  processors:
    - drop_event.when:
        and:
          - equals.user.name: root
          - not.equals.process.name: sachin-gateway
    - drop_event.when:
        or:
          - equals.user.name: postfix
          - equals.user.name: zabbix

In place of combining two condition wrote it out seperatly.

drop_event when
(user.name=root AND NOT process.name=sachin-gateway)
drop_event when
(user.name=postfix OR user.name=zabbix)