Hi,
I was trying to use this configuration but it's not dropping events:
processors:
- drop_event:
when:
and:
- not:
equals:
dest.ip: "1.2.3.4.5"
- not:
equals:
dest.port: 22
essentially, I would like to send to my logstash only the tcp packages where the dest.ip is "1.2.3.4.5" and dest.port is 22.
What am I doing wrong?
Is dest.port a string in the event? If so then it needs to have quotes the config.
Using a custom BPF filter would be more efficient. https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-interfaces.html#_bpf_filter
dest.port is a number. I think it's a problem of my code since if I try this code:
processors:
- drop_event:
when:
not:
equals:
dest.port: 22
it works correctly.
I didn't look at logic initally, but that statement would be !(dest.ip == 1.2.3.4 && dest.port == 22).
processors:
- drop_event.when.not:
and:
- equals.dest.ip: "1.2.3.4"
- equals.dest.por: 22
which I think is the same result as running these two processors:
processors:
- drop_event.when.not.equals.dest.ip: "1.2.3.4"
- drop_event.when.not.equals.dest.port: 22
But again, putting this into a BPF filter would be much better.
packetbeat.interfaces.bpf_filter: host 1.2.3.4 and port 22
The logic mechanism that you suspected is exact. I Will try it to give you a feedback,but thank you for the answer.
Personnal note: the syntax with dot char is more clear and easy of indent usage but I didn't find any reference in the 5.3 guide. Was My fault I guess
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.