Journalbeat installation on Linux with default configuration. Output is configured to external Logstash.
Everything works fine except drop_event processors.
Changes applied to journalbeat.yml:
#================================ Processors =====================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
#- add_cloud_metadata: ~
#- add_docker_metadata: ~
# This processor should drop events created by jorunalbeat.
processors:
- drop_event:
when:
equals:
# process.name: "journalbeat"
systemd.unit: "journalbeat.service"
#================================ Logging =====================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: warning
Using different syntax doesn't help:
- drop_event.when.equals.process.name: "journalbeat"
- drop_event.when.equals.systemd.unit: "journalbeat.service"
Can anyone chime in on why the drop_event process is completely ignored and journalbeat log messages arrive to Logstash regardless the field and name used in the condition?
Thank you in advance,
Lara