Winlogbeat match eventdata param1

Siva_ · December 14, 2018, 6:32pm

Hi community,

How can i use the eventdata param1 to filter in winlogbeat?

currently, I am using regex on the message but hoping to avoid it for performance.

processors:
- drop_event:
   when:
    not:
     regexp:
      message: "The Citrix Universal Printing Service*"

bigphil · December 15, 2018, 3:15am

This is the field name that contains the data in param1: event_data.param1

Siva_ · December 16, 2018, 2:44am

Thank you!

winlogbeat.event_logs:
  - name: System
    provider:
        - Service Control Manager
    event_id: 7036, 7031
    tags: ["citrix","ups"]  
    ignore_older: 5m
    processors:
    - drop_event:
       when:
        not:
         equals:
          event_data.param1: "Citrix Universal Printing Service"

system · January 13, 2019, 2:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter when field is missing Beats winlogbeat	4	754	March 1, 2018
Winlogbeat and drop_event filter Beats winlogbeat	5	4944	May 9, 2017
Unable to drop events Beats winlogbeat	6	985	June 28, 2018
Would dropping events by regexp match be possible? Beats winlogbeat	3	599	January 17, 2020
RegEx / RegExp NOT Condition Help Beats winlogbeat	2	993	November 22, 2018

Winlogbeat match eventdata param1

Related topics