I'm looking to collect specific System events. I would like all error and warning events. Only 36880 information events. And finally ignore older than 72 hours. This code checks out but still including information events outside 36880. Warning and Errors are still being collected as intended.
- name: System
ignore_older: 72h
processors:
- drop_event.when.and:
- equals.level: information
- not.equals.event_id: 36880
Hello,
Could you please check the fields names in your data ; because depending your Winlogbeat version these fields are named differently.
Example on a 7.6 agents :
winlog.event_id
log.level
Your code then would be like this :
- name: System
ignore_older: 72h
processors:
- drop_event.when.and:
- equals.log.level: information
- not.equals.winlog.event_id: 36880
Regards
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.