Filter when field is missing

grants · January 23, 2018, 5:14pm

I need to be able to build a drop rule when a filed is missing from the event, I'm not currently able to filter and do not see any conditions that would help with this. Example:

processors:
- drop_event.when:
    and:
      - equals.event_id: 800
      - or:
         ## Common
          - equals.event_data.param1: "    Microsoft.PowerShell.Core\\Set-StrictMode -Off"
         ## no command / param1 missing
          - equals.event_data.param1: ""

I know this can be dropped at Logstash, but I don't even want to send events to Logstash if "param1" is not present in the 800 events.

Can anyone help with some winlogbeat filtering config that could accomplish this task? I think i can do this with a not matches regex with ".*" but this seems like it would be a performance hit.

tudor · January 23, 2018, 8:45pm

We don't have an exists conditional, but I think it would make sense to provide one. If you can open an enhancement ticket, we can probably add it for a future version.

In the meantime, if you can get the regexp version to work, I think there shouldn't be a huge performance hit since the regexp won't actually get to run.

grants · February 1, 2018, 3:55pm

Where would I open this request or are you talking about a issue on the git page?

tudor · February 1, 2018, 5:17pm

Please open a ticket here: https://github.com/elastic/beats/issues

system · March 1, 2018, 5:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.