Hi,
I am very to ELK. I've setup a GPO which forwards sysmon and sercurity logs to a server. Then I have winlogbeat which sends the log to logstash. Everything works like a charm except now I am trying to filter the events I am not interested in.
Here is an example
So in Winlogbeat I created the following processor
processors:
-drop_event.when:
Unfortunately the logs are still be sent.
Thanks in advance,
Thomas
Hi @limp15000, please use code escaping when pasting settings, they get formatted by discuss if not. I cannot tell but there may be some indenting/formatting issues in your settings. Something like this should work:
processors:
- drop_event.when:
equals.event_data.TargetUserName: '$Printer_Maestro$'
Best regards
Excellent this seems to do the trick. Thank you very much for your quick assistance 
May I suggest you update the following documentation :
Which looks wrong or maybe isn't clear enough
Sorry seems there is something I am not understanding...
I added drop fields.
processors:
- drop_event.when:
equals.event_data.TargetUserName: '$Printer_Maestro$'
- drop_fields.when:
equals.fields: ['beat.hostname', 'beat.name', 'beat.version']
Maybe some more info, I am using notepad++ to edit the yaml file.
You don't need to put when and equals in this case, as you don't put a condition
lol.... ok works now. Sorry for the dumb questions, quite new to this 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.