Logstash Filter to drop Beats events

jwwags92 · August 22, 2019, 5:00pm

I tried hard to filter most events i'm not interested in in the Winlogbeat config. However, I've now got ~100 Windows servers and I don't want to edit 100 files to filter events 256 / 258. I'm trying to use Logstash to do it.

In the Filter section of the logstash.conf in conf.d I have :

filter {
if [event_id] == 256 {
drop { }
}
if [event_id] == 258 {
drop { }
}
}

There is a # in Kibana for event_id. So I'm assuming it's an Integer. But I've tried it with quotes "256". Without quotes. I've tried it without the brackets [event_id]. I've tried it With quotes around the "Event_Id" field. I'm simply at a loss. Logstash does not drop the event. Any recommendations of things I could try would be greatly appreciated.

jwwags92 · August 22, 2019, 5:46pm

I appear to have solved this. I needed :

[winlog][event_id] == 256

The double square brackets for nested fields was in the documentation. There's other documentation, I was looking at the wrong documentation. Ha ha.

system · September 19, 2019, 5:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop event if condition Logstash	7	3022	February 14, 2020
Problems with Drop Filter in Logstash Logstash	2	345	July 18, 2019
Help with basic filtering of eventID from winlogbeat Logstash	3	354	May 5, 2020
Filtering Winlogbeat on Event ID Beats winlogbeat	8	10032	July 5, 2017
Filter winlog.event_id in wineventlog Logstash	4	864	December 26, 2019

Logstash Filter to drop Beats events

Related Topics