Winlogbeat beta 5 - not dropping fields


(Cord Thomas) #1

We are trying to anonymize some data by dropping some identifying data using the drop_fields feature of winlogbeat 5. As I write this post, i think i am understanding the problem - does anyone have a suggestion? We wanted to drop the SubjectUserName and TargetUserName but i gather this is not parsed by the beat as it is packaged in a single field

we could drop the field on the server but would rather not see this data on our server.

Thoughts for how to remove fields within event_data? We can not index it on the server side, but looking for a client-side solution.

processors:

  • drop_fields:
    fields: [computer_name,host,beat.hostname,user.domain,user.name,event_data.TargetDomainName,event_data.TargetUserName,event_data.SubjectDomainName,event_data.SubjectUserName]

(Andrew Kroh) #2

I believe the source of the problem is that the drop_fields processor quits when it hits any field that does not exist. Since "host" isn't a valid field (unless that's a custom field you've added) the processor always will stop there. I consider this a bug in the processor that it doesn't continue on error. Can you please open a new elastic/beats issue for this problem.

You might also want to format the config to be more readable (but that's a matter of preference).

processors:
- drop_fields:
    fields:
      - computer_name
      - beat.hostname
      - user.domain
      - user.name
      - event_data.TargetDomainName
      - event_data.TargetUserName
      - event_data.SubjectDomainName
      - event_data.SubjectUserName

You can workaround the issue by separating each field into it's own processor. Even if one processor fails due to the field not existing, it should continue to execute the remaining processors.

processors:
- drop_fields.fields: [computer_name]
- drop_fields.fields: [beat.hostname]
- drop_fields: 
    fields: 
      - user.domain 
- drop_fields: 
    fields: 
      - user.name 
- drop_fields: 
    fields: 
      - event_data.TargetDomainName 
- drop_fields: 
    fields: 
      - event_data.TargetUserName 
- drop_fields: 
    fields: 
      - event_data.SubjectDomainName 
- drop_fields: 
    fields: 
      - event_data.SubjectUserName

(system) #3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.