I have a proccessor to drop some events for a user. here is my config:
processors:
- drop_event:
when:
and:
- or:
- equals.event.code: 4658
- equals.event.code: 4656
- equals.event.code: 4634
- equals.event.code: 4648
- equals.event_data.SubjectUserName: "test-user$"
But it's not working. I've restarted the winlogbeat service too.
I'm using ELK 7.9 with winlogbeat 7.2
Does event_data.SubjectUserName field exist in any events you have? I think it should be winlog.event_data.SubjectUserName.
It's winlog.event_data.SubjectUserName in my config. just a typo here.
I'm guessing the $ at the end is causing the problem.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.