Drop event processor not working

Elastic Stack Beats
1

I'm wanting to exclude a particular event if the eventdata contains X value. I've also tried dropping based on just the event id, but for some reason i'm unable to get the event to get dropped & is still being processed.
I've appended the log below also..

  - name: Microsoft-Windows-FailoverClustering/Operational
    processors: 
      - drop_event.when.or: 
        - contains.event_data: 'RegCheckpoint::SaveCheckpoint'
        - equals.event_id: 2051

The xml data for the event is this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-FailoverClustering" Guid="{GUID}" /> 
  <EventID>2051</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x2000000000000000</Keywords> 
  <TimeCreated SystemTime="2022-02-21T06:20:14.791227300Z" /> 
  <EventRecordID>137081</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4796" ThreadID="1900" /> 
  <Channel>Microsoft-Windows-FailoverClustering/Diagnostic</Channel> 
  <Computer>computername</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="LogString">[CM] mscs::RegCheckpoint::SaveCheckpoint: (1018)' because of '::RegSaveKeyEx(handle, file.c_str(), nullptr, options)'</Data> 
  </EventData>
  </Event>

winlogbeat log

2022-02-21T18:44:54.691+1100    INFO    instance/beat.go:611    Home path: [C:\admin\tools] Config path: [C:\admin\tools] Data path: [C:\admin\tools\data] Logs path: [C:\admin\tools\logs]
2022-02-21T18:44:54.692+1100    INFO    instance/beat.go:618    Beat UUID: UID
2022-02-21T18:44:54.693+1100    INFO    [beat]  instance/beat.go:931    Beat info       {"system_info": {"beat": {"path": {"config": "C:\\admin\\tools", "data": "C:\\admin\\tools\\data", "home": "C:\\admin\\tools", "logs": "C:\\admin\\tools\\logs"}, "type": "winlogbeat", "uuid": "uuid"}}}
2022-02-21T18:44:54.693+1100    INFO    [beat]  instance/beat.go:940    Build info      {"system_info": {"build": {"commit": "unknown", "libbeat": "6.8.2", "time": "1754-08-30T22:43:41.128Z", "version": "6.8.2"}}}
2022-02-21T18:44:54.693+1100    INFO    [beat]  instance/beat.go:943    Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.10.6"}}}
2022-02-21T18:44:54.707+1100    INFO    [beat]  instance/beat.go:947    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-02-21T14:49:45.56+11:00","name":"computername","ip":["IP ADDRESS"],"kernel_version":"10.0.17763.2565 (WinBuild.160101.0800)","MAC ADDRESS":["x"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2019 Datacenter","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.2565"},"timezone":"AEDT","timezone_offset_sec":39600,"id":"id"}}}
2022-02-21T18:44:54.713+1100    INFO    [beat]  instance/beat.go:976    Process info    {"system_info": {"process": {"cwd": "C:\\admin\\tools", "exe": "C:\\admin\\tools\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 7792, "ppid": 9212, "start_time": "2022-02-21T18:44:54.204+1100"}}}
2022-02-21T18:44:54.714+1100    INFO    instance/beat.go:280    Setup Beat: winlogbeat; Version: 6.8.2
2022-02-21T18:44:54.717+1100    INFO    add_cloud_metadata/add_cloud_metadata.go:345    add_cloud_metadata: hosting provider type detected as ec2, metadata={"availability_zone":"region","instance_id":"instance_id","machine_type":"r5d.xlarge","provider":"ec2","region":"region"}
2022-02-21T18:44:54.718+1100    DEBUG   [processors]    processors/processor.go:66      Processors: add_cloud_metadata={"availability_zone":"ap-southeast-2a","instance_id":"instance_id","machine_type":"r5d.xlarge","provider":"ec2","region":"region"}
2022-02-21T18:44:54.718+1100    INFO    kinesis/kinesis.go:89   Kinesis output - stream set to: x
2022-02-21T18:44:54.719+1100    INFO    kinesis/kinesis.go:100  Kinesis output - using AWS credentials from EC2 role.
2022-02-21T18:44:54.723+1100    INFO    kinesis/kinesis.go:115  Kinesis output - using AWS region: AWS-Region
2022-02-21T18:44:54.723+1100    INFO    kinesis/kinesis.go:122  Kinesis output - assuming AWS role: arn:aws:iam::x
2022-02-21T18:44:54.724+1100    INFO    [publisher]     pipeline/module.go:110  Beat name: computername
2022-02-21T18:44:54.724+1100    INFO    beater/winlogbeat.go:68 State will be read from and persisted to C:\admin\tools\data\.winlogbeat.yml
2022-02-21T18:44:54.724+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.725+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.725+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.725+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.725+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.726+1100    DEBUG   [processors]    conditions/conditions.go:93     New condition equals: map[event_id:{2051  false}]
2022-02-21T18:44:54.726+1100    DEBUG   [processors]    conditions/conditions.go:93     New condition equals: map[event_id:{2051  false}]
2022-02-21T18:44:54.726+1100    DEBUG   [processors]    processors/processor.go:66      Processors: drop_event, condition=equals: map[event_id:{2051  false}]
2022-02-21T18:44:54.726+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.727+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.727+1100    DEBUG   [processors]    processors/processor.go:66      Processors:
2022-02-21T18:44:54.727+1100    INFO    instance/beat.go:402    winlogbeat start running.
2022-02-21T18:44:54.727+1100    INFO    [monitoring]    log/log.go:117  Starting metrics logging every 30s
2022-02-21T18:44:54.743+1100    WARN    beater/eventlogger.go:104       EventLog[TechnologyOne] Open() error. No events will be read from this source. The specified channel could not be found.
2022-02-21T18:44:55.765+1100    INFO    kinesis/kinesis.go:141  Kinesis output - Processing batch of 18 events
2022-02-21T18:44:56.658+1100    INFO    beater/eventlogger.go:73        EventLog[Microsoft-Windows-FailoverClustering/Diagnostic] successfully published 18 events
2022-02-21T18:44:56.773+1100    INFO    kinesis/kinesis.go:141  Kinesis output - Processing batch of 6 events
2022-02-21T18:44:56.789+1100    INFO    beater/eventlogger.go:73        EventLog[Microsoft-Windows-FailoverClustering/Diagnostic] successfully published 6 events
2022-02-21T18:44:57.780+1100    INFO    kinesis/kinesis.go:141  Kinesis output - Processing batch of 12 events
2022-02-21T18:44:57.796+1100    INFO    beater/eventlogger.go:73        EventLog[Microsoft-Windows-FailoverClustering/Diagnostic] successfully published 12 events
2022-02-21T18:44:58.672+1100    INFO    beater/winlogbeat.go:164        Stopping Winlogbeat
2022-02-21T18:44:58.748+1100    INFO    beater/eventlogger.go:109       EventLog[Microsoft-Windows-FailoverClustering/Operational] Stop processing.
2022-02-21T18:44:58.748+1100    INFO    beater/eventlogger.go:109       EventLog[Microsoft-Windows-FailoverClustering-Manager/Admin] Stop processing.
2022-02-21T18:44:58.749+1100    INFO    beater/eventlogger.go:109       EventLog[Microsoft-Windows-TaskScheduler/Operational] Stop processing.
2022-02-21T18:44:58.751+1100    INFO    beater/eventlogger.go:109       EventLog[Application] Stop processing.
2022-02-21T18:44:58.751+1100    INFO    beater/eventlogger.go:109       EventLog[Microsoft-Windows-AppLocker/EXE and DLL] Stop processing.
2022-02-21T18:44:58.752+1100    INFO    beater/eventlogger.go:109       EventLog[System] Stop processing.
2022-02-21T18:44:58.770+1100    INFO    beater/eventlogger.go:109       EventLog[Security] Stop processing.
2022-02-21T18:44:58.782+1100    INFO    beater/eventlogger.go:109       EventLog[Microsoft-Windows-FailoverClustering/Diagnostic] Stop processing.
2022-02-21T18:44:58.841+1100    INFO    [monitoring]    log/log.go:152  Total non-zero metrics  {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":62,"time":{"ms":62}},"total":{"ticks":140,"time":{"ms":140},"value":140},"user":{"ticks":78,"time":{"ms":78}}},"handles":{"open":377},"info":{"ephemeral_id":"ephemeral_id","uptime":{"ms":4537}},"memstats":{"gc_next":5791984,"memory_alloc":2899728,"memory_total":7551672,"rss":27594752}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":36,"batches":3,"total":36},"type":"kinesis"},"pipeline":{"clients":0,"events":{"active":0,"published":36,"total":36},"queue":{"acked":36}}},"msg_file_cache":{"Microsoft-Windows-FailoverClustering/DiagnosticHits":35,"Microsoft-Windows-FailoverClustering/DiagnosticMisses":1,"Microsoft-Windows-FailoverClustering/DiagnosticSize":1},"published_events":{"Microsoft-Windows-FailoverClustering/Diagnostic":36,"total":36},"system":{"cpu":{"cores":4}}}}}
2022-02-21T18:44:58.842+1100    INFO    [monitoring]    log/log.go:153  Uptime: 4.5907757s
2022-02-21T18:44:58.844+1100    INFO    [monitoring]    log/log.go:130  Stopping metrics logging.
2022-02-21T18:44:58.844+1100    INFO    instance/beat.go:412    winlogbeat stopped.
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.