I want to drop a log for a specific event.code based on process path but it's not working. I have two drop event processor as described below:
processors:
- drop_event:
when:
and:
- or:
- equals.event.code: 4658
- equals.event.code: 4656
- equals.event.code: 4663
- equals.event.code: 4690
- equals.winlog.event_data.SubjectUserName: 'TEST$'
- drop_event:
when:
and:
- or:
- equals.event.code: 4658
- equals.event.code: 4656
- equals.winlog.event_data.ProcessName: 'C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe'
- equals.winlog.event_data.SubjectUserName: 'test'
The first one works fine but the second one doesn't.