Drop Processors on .yml file

Elastic Stack Beats
1

Hi, I am unable to use the following drop processors on yml

processors:

  • drop_event.when:
    network:
    destination.ip: ['8.8.8.8/32', '8.8.4.4/32', '10.10.10.10/32']
2

Try this?

- drop_event.when.network.destination.ip: ['8.8.8.8/32', '8.8.4.4/32', '10.10.10.10/32']

If not working, please post logs and configuration as preformatted to keep their indents.

3

Hello, I tried, the filebeat is running but the processor is not dropping the events. I also followed the elastic guide for processor configurations.

Processor filebeat forum
Processor filebeat forum1208×94 10.1 KB

image
image991×470 24.2 KB

4

There must be indents

processors:
  - drop_event.when.network.destination.ip: ['8.8.8.8/32', '8.8.4.4/32', '10.10.10.10/32']

If it is not working, the log of your beat (I guess packetbeat?) might have helpful information.

5

What module are you using?

There is often confusion when using processors in filebeat / beats

In short the fields need to exist on the filebeat side / context ... but often the fields are only created / parsed / available AFTER they have been transmitted and processed on the elasticsearch ingest pipeline side... That is where the parsing is...

So in short you may be trying to drop in filebeat based on a field that does not exist yet in the filebeat context... because it has not been parsed out yet.

An easy what to check what fields are available is to set the filebeat output to console and see what the data looks like... you will only be able to operate on the fields available.

Hope this makes sense

That is not to say you can not possibly do it by using contains condition ... or another way...

6

Looks like packetbeat since he is using destination.ip.

That field should be not a problem. I guess the problem was coming from tab indentation.
I am not sure without seeing the log, that is why I suggest put all setting in one line to make sure.

7

Yep, I like the one line method too.

But I'm not assuming packbeat until I see it, @maviles

Are you using packetbeat or filebeat?

And yes @maviles

Please include your full .yml and logs if you can

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.