Save a variable for use in processors or how to drop later events in a series?

Is it possible to save state in a variable for use in a processor? I'd like to do something like:

- save_variable:
     name: id
     value: winlog.event_data.ScriptBlockId
     when:
        regexp:
              winlog.event_data.ScriptBlockText: "ClassName = 'Root/Microsoft/Windows"
- drop_event:
    when:
       equals:
         winlog.event_data.ScriptBlockId: $id

The idea being that if the first condition were true, we would save the value of the winlog.event_data.ScriptBlockId element in the variable "id". Then if later events had winlog.event_data.ScriptBlockId elements that equaled the value of the "id" variable we would discard them.

Processors are meant to be stateless so there are no features to save a value.

If you wanted to do a more complex logical comparison to determine whether or not to drop an event then you could use the script processor. But this is only to compare fields within a single event. If you are trying to compare values across multiple events then the stateless-ness of processors will be an issue.

Yeah, that's what I figured. Any other alternatives? Something in logstash? NXlog is able to save a value which has been helpful for this situation.

You could use the script processor across threads if you set max_cached_sessions: 1. (See config docs.) This would mean that there is only a single instance of the VM. So if you did store some state as a global variable it would be there for the next event when it is processed. My only caution is that because processors are meant to be stateless that his behavior could break at some point in the future.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.