Hello,
I'm trying to create a drop_event processor to only allow elasticsearch audit logs which have a request.name = "AuthenticateRequest". Clearly my process it not working as all events are not matching and everything is being dropped.
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- drop_event:
when:
not:
request.name:"AuthenticateRequest"
Here is a sample of the data being logged to disk with the key value pair matching the log entries but they do not log to Elasticsearch.
{"type":"audit", "timestamp":"2023-07-31T14:58:05,675-0400", "cluster.uuid":"mmsQadMlRySqZ5FVIVZu_w", "node.id":"ItmwGws8Qu-xismk7PwdMA", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"monitor", "user.realm":"native1", "user.roles":["kibana_monitor","elasticsearch_monitor"], "origin.type":"rest", "origin.address":"x.x.x.x:47702", "request.id":"Thfm_mHwTkKA25MHTatgag", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"cc567b01-8f8b-452c-b251-e41d4a061b84", "trace.id":"d6f7a0878ab69b081e0f9a9848c9e6a3"}
{"type":"audit", "timestamp":"2023-07-31T14:58:05,681-0400", "cluster.uuid":"mmsQadMlRySqZ5FVIVZu_w", "node.id":"ItmwGws8Qu-xismk7PwdMA", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"monitor", "user.realm":"native1", "user.roles":["kibana_monitor","elasticsearch_monitor"], "origin.type":"rest", "origin.address":"x.x.x.x:52116", "request.id":"enO8cVK4SiqsnCP27KsM7Q", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"ab1e85cc-8dfc-4eb3-8aaa-03ffae7fa30c", "trace.id":"d6ac44251f290be0ec069686a55b2878"}
If I change the logic to match a specific key value pair, it does not work either using the Elasticsearch audit logs.
I'd appreciate any help. Thank you!