Two different drop_events not dropping events

Elastic Stack Beats
1

I have more than 22 event IDs in 'Application' and 'Antivirus Security'.
28 in Application and more than 100 in Antivirus Security.

below is the winlogbeat.yml configuration

winlogbeat.event_logs:

  • name: Security
    ignore_older: 72h
    event_id: 4624, 4625, 4634, 4647
  • name: MPS Alerts
    ignore_older: 72h
    event_id: 701-703, 705, 802-806, 811-813, 815-817, 820, 832, 833, 838
  • name: Application
    processors:
  • drop_event.when.and:
    • equals.log_name: Application
    • not.or:
      • equals.event_id: 701
      • equals.event_id: 702
      • equals.event_id: 703
      • equals.event_id: 705
      • equals.event_id: 802
      • equals.event_id: 803
      • equals.event_id: 804
      • equals.event_id: 805
      • equals.event_id: 806
      • equals.event_id: 811
      • equals.event_id: 812
      • equals.event_id: 813
      • equals.event_id: 815
      • equals.event_id: 816
      • equals.event_id: 817
      • equals.event_id: 820
      • equals.event_id: 832
      • equals.event_id: 833
      • equals.event_id: 838
      • equals.event_id: 4097
      • equals.event_id: 3
      • equals.event_id: 5000
      • equals.event_id: 5001
      • equals.event_id: 5008
      • equals.event_id: 901
      • equals.event_id: 902
  • name: Antivirus Security
    processors:
  • drop_event.when.and:
    • equals.log_name: Antivirus Security
    • not.or:
      • equals.event_id: 8
      • equals.event_id: 61
      • equals.event_id: 62
      • equals.event_id: 63
      • equals.event_id: 67
      • equals.event_id: 73
      • equals.event_id: 75
      • equals.event_id: 76
      • equals.event_id: 80
      • equals.event_id: 99
      • equals.event_id: 102
      • equals.event_id: 104
      • equals.event_id: 110
      • equals.event_id: 2101
      • equals.event_id: 2102
      • equals.event_id: 2103
      • equals.event_id: 2104
      • equals.event_id: 2105
      • equals.event_id: 2106
      • equals.event_id: 2107
      • equals.event_id: 2108
        .........and so on .....

before adding Application block This configuration is working well with other events block and Antivirus Security. But After adding Application block with 28 event ids. I didn't get configuration error but the drop event of both Application and Antivirus Security are not dropping event.

Please suggest,

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.