Incorrect regexp reaction

Hi! Using ELK 7.10 Tried different terms but result always go through
My winlogbeat.yml:

......
'- name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- drop_event.when.or:
- regexp.process.command_line.text: 'zabbix'
- regexp.process.args: 'zabbix'
- script:
lang: javascript
.......

Event with expected as dropped:
process.args = powershell.exe,-File, C:\zabbix\Discovery.mssql.ps1, JSONJOBNAME
process.args_count = 7
process.command_line = powershell.exe -File C:\zabbix\Discovery.mssql.ps1 JSONJOBNAME.

I just want to drop all events with "zabbix" in it. What can be wrong?

The problem might be with ordering of the processors. The script processor for powershell creates the process.command_line field. So to drop based on that field you would need to do the drop after the script runs.

So try:

- name: Windows PowerShell
  event_id: 400, 403, 600, 800
  processors:
     - script:
         lang: javascript
         id: powershell
         file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
     - drop_event:
         when.or:
           - contains.process.command_line: 'zabbix'
           - contains.process.args: 'zabbix'

I didn't even guess...
Thanks!

Just config work only with my syntax. Proposed didn't pass test

My indentation looks like it got messed up somewhere in copy/pasting between apps. I fixed it now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.