Winlogbeat drop event with process path

remrem · June 19, 2021, 7:57am

I want to drop a log for a specific event.code based on process path but it's not working. I have two drop event processor as described below:

processors:
- drop_event:
    when:
      and:
      - or:
        - equals.event.code: 4658
        - equals.event.code: 4656
        - equals.event.code: 4663
        - equals.event.code: 4690
      - equals.winlog.event_data.SubjectUserName: 'TEST$'
- drop_event:
    when:
      and:
      - or:
        - equals.event.code: 4658
        - equals.event.code: 4656
      - equals.winlog.event_data.ProcessName: 'C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe'
      - equals.winlog.event_data.SubjectUserName: 'test'

The first one works fine but the second one doesn't.

system · July 17, 2021, 9:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Struggling with Drop_Event Processor Syntax and Structure Beats winlogbeat	2	356	July 23, 2020
Drop_event not working via process name or path Beats winlogbeat	3	471	March 29, 2022
Drop_event processor not working Beats winlogbeat	3	329	June 9, 2021
Drop_event in 7.6.0 Beats winlogbeat	2	367	March 31, 2020
Winlogbeat doesn't drop events Beats winlogbeat	5	539	June 7, 2023

Winlogbeat drop event with process path

Related topics