Elastic-agent cloudflare logpull and problem with using processors for filter events

slast · August 14, 2022, 9:29pm

Hi Everyone
I have a problem with elastic-agent( ver 7.17.4) that we are using to collect logs from cloudflare.
I want to drop some events by using processors in "Edit Cloudflare integration" - but nothing is work. In "Cloudflare integration" i see that " Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. May be i used wrong fields . Please help if you know.
Here is some examples that i used to drop events:

I want to drop all events that has not field cloudflare.firewall.actions

processors:

drop_event:
when:
not:
has_fields: ['cloudflare.firewall.actions']

I want to drop all events when cloudflare.edge.pathing.src: "test"
processors:

drop_event:
when:
equals:
cloudflare.edge.pathing.src: "test"

For now nothing is work

slast · August 15, 2022, 10:43am

I turn on Preserve original event to see original event from Cloudflare.
After that we see that cloudflare.edge.pathing.src = EdgePathingSrc
Answer:

processors:

drop_event:
when:
regexp:
message: ""EdgePathingSrc":"test""

system · October 5, 2022, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop event doesnt drop any Elastic Agent filebeat	0	75	May 7, 2024
Drop_event processor in Powershell Channels Elastic Agent fleet	3	92	July 18, 2024
Winlogbeat 8.4 - Processors - Drop Event Beats winlogbeat	2	367	December 30, 2022
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Processors in Endpoint/Elastic-Agent Endpoint Security	3	1140	September 2, 2021

Elastic-agent cloudflare logpull and problem with using processors for filter events

Related topics