Drop_event processor not working

borna_talebi · May 12, 2021, 8:42am

I have a proccessor to drop some events for a user. here is my config:

processors:
- drop_event:
    when:
      and:
      - or:
        - equals.event.code: 4658
        - equals.event.code: 4656
        - equals.event.code: 4634
        - equals.event.code: 4648
      - equals.event_data.SubjectUserName: "test-user$"

But it's not working. I've restarted the winlogbeat service too.
I'm using ELK 7.9 with winlogbeat 7.2

andrewkroh · May 12, 2021, 12:27pm

Does event_data.SubjectUserName field exist in any events you have? I think it should be winlog.event_data.SubjectUserName.

borna_talebi · May 12, 2021, 3:31pm

It's winlog.event_data.SubjectUserName in my config. just a typo here.
I'm guessing the $ at the end is causing the problem.

system · June 9, 2021, 5:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Winlogbeat drop event with process path Beats winlogbeat	1	420	July 17, 2021
Winlogbeat and drop_event filter Beats winlogbeat	5	4946	May 9, 2017
Drop_event in 7.6.0 Beats winlogbeat	2	367	March 31, 2020
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	356	July 23, 2020

Drop_event processor not working

Related topics