Winlogbeat - multiple event_id's and processor drop_events

Running version 7.17.21, but I cannot seem to get this working. What I am trying to do is if event_id is xxxx than drop event that matches a regex, but if event_id is not xxxx than drop events that matches a different regex.

winlogbeat.event_logs:
  - name: security1
    event_id: 4624
    processors:
      - drop_event:
          when:
            regexp:
              message: '^aaaaa|^bbbbb|^ccccc'
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: security2
    event_id: 4625, 4726, 4740, 4767, 4769
    processors:
       - drop_event:
           when:
             regexp:
               message: '^ddddd|^eeeee|^fffff'
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

winlogbeat logs indicate cannot use those names:

2024-05-28T10:45:43.915-0400	WARN	[winlogbeat]	beater/eventlogger.go:147	Open() encountered channel not found error. Trying again...	{"id": "security2", "error": "The specified channel could not be found.", "channel": "security2"}
2024-05-28T10:45:43.915-0400	WARN	[winlogbeat]	beater/eventlogger.go:147	Open() encountered channel not found error. Trying again...	{"id": "security1", "error": "The specified channel could not be found.", "channel": "security1"}

I've also tried, but it doesn't drop anything:

winlogbeat.event_logs:
  - name: Security
    event_id: 4624, 4625, 4726, 4740, 4767, 4769
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - if:
      event.code: 4624
    then:
      - drop_event:
          when:
             regexp:
                message: '^aaaaa|^bbbbb|^ccccc'

Your first attempt is almost correct.

name must be the name of an actual event log channel. So it needs to be Security. You should add id to the configurations to make them unique for persistence on disk.

  - id: security1
    name: Security
    event_id: 4624
    ...
  - id: security2
    name: Security
    event_id: 4625, 4726, 4740, 4767, 4769
    ...
1 Like

That's not a valid config. It errors with

failed to make if/then/else processor: missing or invalid condition

It's missing the equals operator. And the 4624 needs to be string (so add quotes) because the value type in the event is a string (example).

  - if:
      equals:
        event.code: '4624'
    then: ...
1 Like