Processor [drop_event] not dropping events Beats Winlogbeat

EFr · July 3, 2019, 1:56pm

ver 7.2.0

I'm unable to filter the unwanted LogonType
.\winlogbeat.exe test config -c .\winlogbeat.yml -e says the cfg is ok
I've tried
- equals.event_data.LogonType: 0
or
- equals.event_data.LogonType: '0'
as i've tried to move the filter to global processor with no result.
For sure my mistake but i dont know where to look.

Thanks in advance

Here's the winlogbeat.yml

output.logstash: 
  hosts: 
    - "1.2.3.4:5044"
processors: 
  - add_host_metadata: ~
  - add_cloud_metadata: ~

setup.template.settings: 
  index.number_of_shards: 1

winlogbeat.event_logs:
  - name: Security
    event_id: 4624,4625,4634,4648,4771
    ignore_older: 72h    
    processors:
      - drop_event.when.or: 
        - equals.event_data.LogonType: "0"
        - equals.event_data.LogonType: "3"
        - equals.event_data.LogonType: "5"

andrewkroh · July 3, 2019, 2:39pm

Isn’t the field you are trying to filter on actually called winlog.event_data.LogonType?

EFr · July 3, 2019, 3:09pm

Correct the problem was the field name i take from a sample.
The right filed name is winlog.event_data.LogonType as you say

Many thanks
Regards

system · July 31, 2019, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.