Winlogbeat 8.4 - Processors - Drop Event

prolle · November 30, 2022, 2:06pm

Hi, i'm trying to drop an event from being sent to my elastic cluster.

On the Windows integration i have added a processor under the Windows Powershell channel and the Microsoft-Windows-Powershell/Operational channel.

The processor:

- drop_event:
    when:
      equals:
        source: "powershell.exe -Executionpolicy Bypass -File C:\\Script\\somescript.ps1"
    fields: ["process.command_line"]

But the in the agent logs i get the following error:

Elastic Agent status changed to "error": "app filebeat--8.4.1-a53645b8: 1 error occurred:\n\t* 2 errors: Error creating runner from config: unexpected fields option in processors.2.drop_event;

I guess i have something wrong in my processor, can someone point me in the right directions? Thanks.

prolle · December 2, 2022, 2:28pm

I managed to solve this with the following

          - drop_event.when.not.or:
              - equals.process.command_line: 'powershell.exe -Executionpolicy Bypass -File C:\Script\somescript.ps1'

system · December 30, 2022, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat Drop Event Processor No Longer Working After Update to v8 Beats winlogbeat	1	301	August 3, 2022
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	356	July 23, 2020
Drop_event processor in Powershell Channels Elastic Agent fleet	3	91	July 18, 2024
Another Drop Event Beats winlogbeat	5	592	June 8, 2020

Winlogbeat 8.4 - Processors - Drop Event

Related topics