Hello, I'm working on a winlogbeat.yml. I want to filter event by events providers. I am using the REGEXP property so that all the events that would not begin as specified , would just be dropped.
I'm so new to ELK.
Here is what i tried basing on the Regexp definition. But I'm not getting anything (zero event) on the output.
winlogbeat.event_logs:
- name: Application
processors:
- drop_event.when.not.regexp.winlog.provider_name: "^Configuration.*"
- drop_event.when.not.regexp.winlog.provider_name: "^Cisco.*"
This means that I'm supposed to get all the events beginning by "Configuration" or "Cisco"
Here is a link to documentation https://www.elastic.co/guide/en/beats/winlogbeat/master/defining-processors.html
I wish I could get some help here.
Thanks