Running version 7.17.21, but I cannot seem to get this working. What I am trying to do is if event_id is xxxx than drop event that matches a regex, but if event_id is not xxxx than drop events that matches a different regex.
winlogbeat.event_logs:
- name: security1
event_id: 4624
processors:
- drop_event:
when:
regexp:
message: '^aaaaa|^bbbbb|^ccccc'
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- name: security2
event_id: 4625, 4726, 4740, 4767, 4769
processors:
- drop_event:
when:
regexp:
message: '^ddddd|^eeeee|^fffff'
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
winlogbeat logs indicate cannot use those names:
2024-05-28T10:45:43.915-0400 WARN [winlogbeat] beater/eventlogger.go:147 Open() encountered channel not found error. Trying again... {"id": "security2", "error": "The specified channel could not be found.", "channel": "security2"}
2024-05-28T10:45:43.915-0400 WARN [winlogbeat] beater/eventlogger.go:147 Open() encountered channel not found error. Trying again... {"id": "security1", "error": "The specified channel could not be found.", "channel": "security1"}
I've also tried, but it doesn't drop anything:
winlogbeat.event_logs:
- name: Security
event_id: 4624, 4625, 4726, 4740, 4767, 4769
processors:
- script:
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- if:
event.code: 4624
then:
- drop_event:
when:
regexp:
message: '^aaaaa|^bbbbb|^ccccc'