if [EventID] != 538 or [EventID] != 528 {
and, not or. If you think about it, the expression above is always true. Do this instead:
if [EventID] not in [528, 538] {
So what I am really after, is there a way to drop bulk windows events from being shipped to Elasticsearch? We'd like to have all the events sent to Logstash in case we'd like to monitor those events, but at this time, we wish to not record them in ELK.
Just wrap the elasticsearch output in a conditional instead of wrapping a drop filter in a conditional.