ver 7.2.0
I'm unable to filter the unwanted LogonType
.\winlogbeat.exe test config -c .\winlogbeat.yml -e says the cfg is ok
I've tried
- equals.event_data.LogonType: 0
or
- equals.event_data.LogonType: '0'
as i've tried to move the filter to global processor with no result.
For sure my mistake but i dont know where to look.
Thanks in advance
Here's the winlogbeat.yml
output.logstash:
hosts:
- "1.2.3.4:5044"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
setup.template.settings:
index.number_of_shards: 1
winlogbeat.event_logs:
- name: Security
event_id: 4624,4625,4634,4648,4771
ignore_older: 72h
processors:
- drop_event.when.or:
- equals.event_data.LogonType: "0"
- equals.event_data.LogonType: "3"
- equals.event_data.LogonType: "5"