Drop event in procesor result in no records

Ruben_Bahntje · January 18, 2024, 10:51am

I am using Fleet to configure agent policies for windows servers.
I configure to get several security events 4624, 4625, 4771 and drop events when LogonType = 3

I ve configure procesor like this:

drop_event:
when:
equals:
winlog.event_data.LogonType: 3

The result is no security channel events are ingested in Elasticsearch.

yago82 · January 18, 2024, 11:12am

Hi,

Try changing your condition to compare winlog.event_data.LogonType to the string "3" instead:

drop_event:
  when:
    equals:
      winlog.event_data.LogonType: "3"

Regards

Ruben_Bahntje · January 18, 2024, 1:29pm

Thanks!
Thats resolve the problem

system · February 15, 2024, 1:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop_event processor in Powershell Channels Elastic Agent fleet	3	92	July 18, 2024
Droping winlog.event_data.LogonType: "3" Beats winlogbeat	3	973	June 8, 2020
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	810	April 29, 2021
Processor [drop_event] not dropping events Beats Winlogbeat Beats winlogbeat	3	647	July 31, 2019
Winlogbeat 8.4 - Processors - Drop Event Beats winlogbeat	2	367	December 30, 2022

Drop event in procesor result in no records

Related topics