Trying to drop events by their event_id number but what I am using doesn't seem to be working. Where am I wrong at?
winlogbeat.event_logs:
- name: System
ignore_older: 72h
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.event_id: 5156
- equals.event_id: 5145
I'm guessing because they've buried the event_id field in an object, you can't condense statements into a single line or it thinks winlog is a condition instead of a part of a field name. Below is what is accepted and works:
winlogbeat.event_logs:
- name: System
ignore_older: 72h
- name: Application
ignore_older: 72h
- name: Security
ignore_older: 72h
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
processors:
- drop_event:
when:
or:
- equals:
winlog.event_id: 5156
- equals:
winlog.event_id: 5145
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.