Drop_event.when.not.or: - not working, Please help

Hi Guys,

For some reason... Winlogbeat is grabbing all security logs not just the one listed below, any idea what I'm missing ?, Running 7.5.1

Thx!

 winlogbeat.event_logs:

• name: Security
  processors:
  • drop_event.when.not.or:
    • equals.winlog.event_id: 4754
    • equals.winlog.event_id: 4755
    • equals.winlog.event_id: 4757
    • equals.winlog.event_id: 4758
    • equals.winlog.event_id: 4764
    • equals.winlog.event_id: 4740
    • equals.winlog.event_id: 4728
    • equals.winlog.event_id: 4732
    • equals.winlog.event_id: 4756
    • equals.winlog.event_id: 4735
    • equals.winlog.event_id: 4724
    • equals.winlog.event_id: 4625
    • equals.winlog.event_id: 4648
    • equals.winlog.event_id: 1102
    • equals.winlog.event_id: 4624
    • equals.winlog.event_id: 5038
    • equals.winlog.event_id: 6281
    • equals.winlog.event_id: 4727
    • equals.winlog.event_id: 4729
    • equals.winlog.event_id: 4730
    • equals.winlog.event_id: 4731
    • equals.winlog.event_id: 4733
    • equals.winlog.event_id: 4734
    • equals.winlog.event_id: 4737
      #ignore_older: 72h

I have tried to format this in a different way ... still no luck, receiving all logs and not only the ones below.

    winlogbeat.event_logs:

• name: Security
  processors:
• drop_event:
  when:
  not:
  or:
  - equals.winlog.event_id: 4754
  - equals.winlog.event_id: 4754
  - equals.winlog.event_id: 4755
  - equals.winlog.event_id: 4757
  - equals.winlog.event_id: 4758
  - equals.winlog.event_id: 4764
  - equals.winlog.event_id: 4740
  - equals.winlog.event_id: 4728
  - equals.winlog.event_id: 4732
  - equals.winlog.event_id: 4756
  - equals.winlog.event_id: 4735
  - equals.winlog.event_id: 4724
  - equals.winlog.event_id: 4625
  - equals.winlog.event_id: 4648
  - equals.winlog.event_id: 1102
  - equals.winlog.event_id: 4624
  - equals.winlog.event_id: 5038
  - equals.winlog.event_id: 6281
  - equals.winlog.event_id: 4727
  - equals.winlog.event_id: 4729
  - equals.winlog.event_id: 4730
  - equals.winlog.event_id: 4731
  - equals.winlog.event_id: 4733
  - equals.winlog.event_id: 4734
  - equals.winlog.event_id: 4737

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.