I'm trying to drop events for which the winlog.event_data.TargetUserName ends with
$ but keep the event when winlog.event_data.TargetUserName has
$ not as the end character. Using the regular expressions 101 tester (https://regex101.com) the regex expression
\$$ does not match Te$t but does match Test$. However when I use this expression in my winlogbeat.yml file, it drops both events instead of keeping events with winlog.event_data.TargetUserName equal to Te$t. See sample code below. Does winlogbeat not interpret the regex the same way as the tester does?
Your regular expression is correct so I was really confused. I added some debug to see what the raw string looks like before compiling the regex and it's
\$ so it's just doing a substring match to see if it contains any
Regex string raw: "\\$"
2020-10-13T18:09:27.981-0400 DEBUG [conditions] conditions/conditions.go:98 New condition regexp: map[message:<substring '$'>], map
2020-10-13T18:09:27.981-0400 DEBUG [processors] processors/processor.go:120 Generated new processors: add_tags=matches, condition=regexp: map[message:<substring '$'>], map
Then I remembered the config parsing does variable interpolation. https://www.elastic.co/guide/en/beats/filebeat/master/yaml-tips.html#dollar-sign-strings
So you actually need
I'm using this to filter out Computers :
- regexp.winlog.event_data.TargetUserName: '.*\$'
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.