Hi,
I'm having problems with syntax on creating processor for dropping message in auditbeat.
My field process.args has value ["-bash"] if I configure processor:
processors:
- drop_event:
when:
contains:
process.args: "["-bash"]"
Auditbeat wont start. If I remove "" around value, auditbeat starts but rule isn't matching.
Any help would be much appreciated.
Thanks
Luka
The contains condition only matches if the field value is a string. This is a limitation of the implementation in Beats. It would be nice if the condition also work on string arrays which is what the process.args is. So currently this will never match.
I'm not sure what you were trying to match. But if you were trying to specify a string literal of ["-bash"] then in YAML you would need to put single-quotes around the literal like '["-bash']'.
Would like to open an enhancement request in the Github repo for making the contains condition work on string array? The behavior that I would expect is that each argument would be checked to see if it contained the given string.
Hi Andrew,
Thanks for response and clarification of beats processors implementations.
Yes, I would like to match string literal of ["-bash"], valid syntax in YAML is '["-bash"]' as you said.
I would like to drop all unneeded messages on auditbeat site and not to forward them to elasticsearch.
For my point of view I also expect that auditbeat match all strings in contains condition regardless if there are square brackets in string. I can open enhancement request in the Github repo.
Thanks and best regards,
Luka
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.