We are trying to anonymize some data by dropping some identifying data using the drop_fields feature of winlogbeat 5. As I write this post, i think i am understanding the problem - does anyone have a suggestion? We wanted to drop the SubjectUserName and TargetUserName but i gather this is not parsed by the beat as it is packaged in a single field
we could drop the field on the server but would rather not see this data on our server.
Thoughts for how to remove fields within event_data? We can not index it on the server side, but looking for a client-side solution.
I believe the source of the problem is that the drop_fields processor quits when it hits any field that does not exist. Since "host" isn't a valid field (unless that's a custom field you've added) the processor always will stop there. I consider this a bug in the processor that it doesn't continue on error. Can you please open a new elastic/beats issue for this problem.
You might also want to format the config to be more readable (but that's a matter of preference).
You can workaround the issue by separating each field into it's own processor. Even if one processor fails due to the field not existing, it should continue to execute the remaining processors.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.