Hello
I have configured a filestream with a drop_event processor. I want to drop the all event, which is not collected by Filebeat on hosts, which are listed in the configuration. The problem is the drop_event processors (version 7.17.6) drops all events despite a host is in the list.
The filstream configuration of the drop_event processor:
- drop_event:
when:
not:
or:
- equals:
host.name: "dkrina01"
- equals:
host.name: "dkrina03"
- equals:
host.name: "dkrina04"
- equals:
host.name: "dkrina05"
- equals:
host.name: "dkrina993"
- equals:
host.name: "dkrina996"
- equals:
host.name: "eessi-rina04p"
- equals:
host.name: "eessi-rina03p"
- equals:
host.name: "eessi-rina04t"
- equals:
host.name: "eessi-rina03t"
- equals:
host.name: "eessi-gw-rina4a"
The filebeat documentation states the equals condition accepts only integer and string values.
When the processor is loaded the log reads:
2024-07-15T23:43:00.735+0200 DEBUG [processors] processors/processor.go:120 Generated new processors: add_fields={"event":{"dataset":"cas_audit.log"}}, drop_event, condition=!equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0] or equals: map[host.name:0x5fa6203097e0]
I assume the host.name value is a pointer to the correct string values.
When the processor kicks in the filebeat log on f.x host dkrina9996 reads
2024-07-15T23:58:56.926+0200 DEBUG [publisher] pipeline/client.go:231 Pipeline client receives callback 'onFilteredOut' for event: {Timestamp:2024-07-15 23:58:56.92580185 +0200 CEST m=+966.711715891 Meta:null Fields:{"event":{"dataset":"cas_audit.log"},"input":{"type":"filestream"},"log":{"file":{"path":"/data/dkinst996/eessi/share/logs/cas/cas_audit.log"},"flags":["multiline"],"offset":3492231},"message":"2024-07-15T23:58:54,251 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN\n=============================================================\nWHO: audit:unknown\nWHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Mon Jul 15 23:58:54 GMT+02:00 2024}\nACTION: AUTHENTICATION_EVENT_TRIGGERED\nAPPLICATION: CAS\nWHEN: Mon Jul 15 23:58:54 GMT+02:00 2024\nCLIENT IP ADDRESS: 127.0.0.1\nSERVER IP ADDRESS: 127.0.0.1\n=============================================================\n","tags":["e2e","cas_audit.log"]} Private:0xc000e981c0 TimeSeries:false}
Thanks, if you could point me to a solotion.
BR Flemming