Incorrect regexp reaction

dmalchikov · February 2, 2021, 2:51pm

Hi! Using ELK 7.10 Tried different terms but result always go through
My winlogbeat.yml:

......
'- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- drop_event.when.or:
- regexp.process.command_line.text: 'zabbix'
- regexp.process.args: 'zabbix'
- script:
lang: javascript
.......

Event with expected as dropped:
process.args = powershell.exe,-File, C:\zabbix\Discovery.mssql.ps1, JSONJOBNAME
process.args_count = 7
process.command_line = powershell.exe -File C:\zabbix\Discovery.mssql.ps1 JSONJOBNAME.

I just want to drop all events with "zabbix" in it. What can be wrong?

andrewkroh · February 3, 2021, 1:16pm

The problem might be with ordering of the processors. The script processor for powershell creates the process.command_line field. So to drop based on that field you would need to do the drop after the script runs.

So try:

- name: Windows PowerShell
  event_id: 400, 403, 600, 800
  processors:
     - script:
         lang: javascript
         id: powershell
         file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
     - drop_event:
         when.or:
           - contains.process.command_line: 'zabbix'
           - contains.process.args: 'zabbix'

dmalchikov · February 3, 2021, 8:53am

I didn't even guess...
Thanks!

Just config work only with my syntax. Proposed didn't pass test

andrewkroh · February 3, 2021, 1:17pm

My indentation looks like it got messed up somewhere in copy/pasting between apps. I fixed it now.