Packetbear drop event doesnt work

Sergey.k · October 18, 2018, 7:14am

packetbaet version 6.3

Packetbeat don't drop event when path field are equal the text "/application/some-text"

packetbeat.yml:

packetbeat.interfaces.device: any

packetbeat.flows:
  enabled: false

packetbeat.protocols:
- type: http
  ports:
  - 80
  send_request: true
  send_response: true
  include_body_for:
  - text/xml
  - application/json
  - application/hal+json
  - text/plain


fields:
  env: prod

fields_under_root: true

setup.template.settings:
  index.number_of_shards: 3

output.elasticsearch:
  hosts: ["http://192.168.2.18:9200"]

processors:
- drop_event:
    when:
      equals:
        path: "/application/some-text"

processors:
- drop_fields:
    fields: ["http.response.body","http.request.body"]

adrisr · October 25, 2018, 2:30pm

Hi,

You cannot define two processors sections. The latest one is overriding the previous, so only the drop_fields processor is enabled. If you want more than one processor you need to group all of them under a single processors key:

processors:
- drop_event:
    when:
      equals:
        path: "/application/some-text"
- drop_fields:
    fields: ["http.response.body","http.request.body"]

Also, I'm curious why you would ask Packetbeat to include the request and response bodies using include_body_for and then drop the fields, but maybe your configuration is clipped and there is some condition for the drop_fields processor.

system · November 22, 2018, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.