Drop Events works only for Linux

Elastic Stack Beats
,
1

Hello Sirs,
Could you please let me know when my drop events below is only working for linux and not for windows platfom? Is tere something that should be difference in the metricbeat.yml file?

Follow my metricbeat.yml file for Linux ( works fine )

 - drop_event:
      when:
        or:
        - regexp:
            system.filesystem.mount_point: '^(/sys|/cgroup|/proc|/dev|/etc|/host|/run|/mnt/home|/var/lib/lxcfs|/var/lib/docker|/snap*)($|/)'
        - equals:
            system.network.name: 'lo'
        - regexp:
            system.diskio.name: "fd0|sr0"
        - not:
           has_fields: ['system']
  fields:
    uuid: ********************************

Follow my metricbeat.yml file for Linux ( does NOT work )

- drop_event:
      when:
        or:
        - equals:
            system.network.name: 'Loopback Pseudo-Interface 1'
        - not:
           has_fields: ['system']
  fields:
    uuid: *******************************
2

Hi!

Do you see any errors or just the processor does not filter out the events in Windows? You can try to verify if in Windows you have the same conditions, does the conditions depends on a platform specific field?

C.

3

Hello, thete is any error, the processor doesn't filter out the events in windows.
Regarding to your suggestion ( you can try to verify if in windows you have the same conditons)
I'll set up the same conditions as linux and perform some tests on window machine.
About your question (does the conditions depends on a platform specific field?)
If you see in the windows conditional, we are drop network events that doesn't need to be set up in linux. So, I would say that yes

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.