Unable to create a proper processor for windows module to filter certain services

Hi,

I'm currently evaluating metricbeat for monitoring our systems. On windows I would like to only monitor services, which are started automatically (or delayed) except a few services which are ok to be stopped, even if started automatically.

So I thought it would be a piece of cake, to write an processor for the windows module config file. Here it what it looks like:

  - module: windows
      metricsets:
        - service
      period: 2m
      processors:
        - drop_event:
            when:
              or:
                - not:
                  contains:
                    windows.service.start_type: "Automatic"
                - equals:
                  windows.service.name: "MapsBroker"
                - equals:
                  windows.service.name: "sppsvc"
                - equals:
                  windows.service.name: "RemoteRegistry"
                - equals:
                  windows.service.name: "WbioSrvc"
                - equals:
                  windows.service.name: "SQLTELEMETRY$SQLEXPRESS"

But unfortunately this seems to be wrong, as I can see in the logs: Error creating runner from config: 1 error: failed to initialize condition: missing or invalid condition

But I can't figure out the error in my conditions. To me this looks like shown in the documentation. Can anybody help me on this? Tanks!

Ok, fixed it finally myself, be rewriting it like this:

- module: windows
  metricsets:
    - service
  period: 2m
  processors:
    - drop_event.when.or:
      - not.contains.windows.service.start_type: "Automatic"
      - equals.windows.service.name: "MapsBroker"
      - equals.windows.service.name: "sppsvc"
      - equals.windows.service.name: "RemoteRegistry"
      - equals.windows.service.name: "WbioSrvc"
      - equals.windows.service.name: "SQLTELEMETRY$SQLEXPRESS"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.