Filebeat processors not dropping events

Rahul_Dankhara · February 19, 2021, 3:14pm

Hi Team,

I am using filebeat 7.9.3 to ship events.
I do want to drop events that contains any of the below key-value pairs. I am using processors to do the same, but somehow it is not working for me.

      processors:
      - drop_event:
          when:
            or:
              - equals:
                  source.ip: "10.0.0.8"
              - contains:
                  data.win.eventdata.parentImage: "LogMeIn.exe"
              - contains:
                  data.win.eventdata.commandLine: "Teams.exe"
              - contains:
                  data.win.eventdata.commandLine: "OneDrive"
              - contains:
                  data.win.eventdata.commandLine: "GoToMeeting"
              - contains:
                  data.win.eventdata.image: "chrome.exe"

Rahul_Dankhara · February 19, 2021, 3:15pm

Also, Which option is better to use Processors or Exclude?

jsoriano · February 19, 2021, 4:41pm

Hi @Rahul_Dankhara,

Where are you placing these processors in your config?

Could you share an example document that is not being dropped with these conditions?

system · March 19, 2021, 6:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.