Send event logs to pipeline based on event_id

Hi there. I am trying to send specific windows event logs to a pipeline based on event_id in my winlogbeat.yml config file. However, when the conditional is added to the config file, it appears to bypass the pipeline completely. The error logs seem to indicate that event_id is being seen as a non-string datatype, and that's why the when.contains fails

I'm running winlogbeat 6.8.10, as my ELK stack is part of a Security Onion setup.

Relevant config:

output.elasticsearch:
  hosts: ["hostname:9200"]
  pipelines:
    - pipeline: "mypipeline"
      when.contains:
        event_id: "1210"

And the error I'm seeing in the log:

2020-10-05T15:41:40.134-0700	WARN	conditions/matcher.go:97	unexpected type uint32 in contains condition as it accepts only strings.

I'm open to any options. The ultimate goal is to be able to send logs to various pipelines based on event_id.

Thanks!

How about using when.equals.event_id: 1210? I think the equality condition should work for numbers.

I will give it a try and update this post with the result. Thank you.

Also, if you don't mind, can you point me to where I can find more documentation about things like conditions that can be used in beats config files? I have been using this as a guide thus far: https://www.elastic.co/guide/en/beats/winlogbeat/6.8/elasticsearch-output.html

Thank you again.

That worked. Thank you!

Docs for processors and conditions are at https://www.elastic.co/guide/en/beats/winlogbeat/current/defining-processors.html. Choose your version on the right hand side dropdown menu.

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.