Hi, so I have in logstash a filter of
if [process][exe] == "/opt/tivoli/tsm/client/ba/bin/dsmc" {
drop { }
}
is the equivalent in Auditbeat
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- drop_event:
equals:
process.exe: /opt/tivoli/tsm/client/ba/bin/dsmc
And if I want to add further ones like this something like
processors:
- drop_event:
equals:
process.exe: /opt/tivoli/tsm/client/ba/bin/dsmc
equals:
process.exe: /usr/bin/rsync
Or would it be more efficient to use an or: in here.