Filebeat processors not dropping events

Rahul_Dankhara · February 19, 2021, 3:14pm

Hi Team,

I am using filebeat 7.9.3 to ship events.
I do want to drop events that contains any of the below key-value pairs. I am using processors to do the same, but somehow it is not working for me.

      processors:
      - drop_event:
          when:
            or:
              - equals:
                  source.ip: "10.0.0.8"
              - contains:
                  data.win.eventdata.parentImage: "LogMeIn.exe"
              - contains:
                  data.win.eventdata.commandLine: "Teams.exe"
              - contains:
                  data.win.eventdata.commandLine: "OneDrive"
              - contains:
                  data.win.eventdata.commandLine: "GoToMeeting"
              - contains:
                  data.win.eventdata.image: "chrome.exe"

Rahul_Dankhara · February 19, 2021, 3:15pm

Also, Which option is better to use Processors or Exclude?

jsoriano · February 19, 2021, 4:41pm

Hi @Rahul_Dankhara,

Where are you placing these processors in your config?

Could you share an example document that is not being dropped with these conditions?

system · March 19, 2021, 6:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Processor [drop_event] not dropping events Beats winlogbeat	9	9108	February 16, 2017
Filebeat drop_event Beats filebeat	2	3922	July 5, 2017
Drop event processor not working Beats winlogbeat	1	528	March 21, 2022
Drop_event processor with not and or condition filters out all event Beats filebeat	4	40	July 16, 2024
Processor not working Beats filebeat	2	542	October 1, 2019

Filebeat processors not dropping events

Related topics