Filebeat processors not dropping events

Rahul_Dankhara · February 19, 2021, 3:14pm

Hi Team,

I am using filebeat 7.9.3 to ship events.
I do want to drop events that contains any of the below key-value pairs. I am using processors to do the same, but somehow it is not working for me.

      processors:
      - drop_event:
          when:
            or:
              - equals:
                  source.ip: "10.0.0.8"
              - contains:
                  data.win.eventdata.parentImage: "LogMeIn.exe"
              - contains:
                  data.win.eventdata.commandLine: "Teams.exe"
              - contains:
                  data.win.eventdata.commandLine: "OneDrive"
              - contains:
                  data.win.eventdata.commandLine: "GoToMeeting"
              - contains:
                  data.win.eventdata.image: "chrome.exe"

Rahul_Dankhara · February 19, 2021, 3:15pm

Also, Which option is better to use Processors or Exclude?

jsoriano · February 19, 2021, 4:41pm

Hi @Rahul_Dankhara,

Where are you placing these processors in your config?

Could you share an example document that is not being dropped with these conditions?

system · March 19, 2021, 6:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop_event processor with not and or condition filters out all event Beats filebeat	4	38	July 16, 2024
Filebeat filtering, drop event processor script Beats filebeat	12	3129	March 2, 2022
Winlogbeat processor not dropping events Beats winlogbeat	8	3033	February 27, 2018
Drop Processors on .yml file Beats filebeat	7	319	August 4, 2022
Drop_event in 7.6.0 Beats winlogbeat	2	367	March 31, 2020

Filebeat processors not dropping events

Related Topics