hello. Im new in elk stack, i want to ask regarding requirements about how to reduce logs so elk service will only retrieve data if one of the some fields are not empty.
this is what i've done but not working yet
processors:
- drop_event:
when:
and:
- not:
has_fields: ["auditd.log.SGID", "process.executable", "process.args"]
expected
elk will only collect logs if at least one of 3 fields above are not empty. Otherwise, it will not recorded.