Winlogbeat processor not dropping events

saikrishnagaddipati · January 16, 2018, 5:45am

I want to drop events if provider is not Service Control Manager or mfehidk or PRIVMAN AND if event_id is not 7036 or 516 or 100.
However this doesnot seems to work i am getting events that should be blocked? Any suggestions??

winlogbeat:
  event_logs:
  - name: System
    provider:
    - Service Control Manager
    - mfehidk
    - PRIVMAN
  processors:
  - drop_event.when:
      - not.or: 
         - equals.event_id: 7036
         - equals.event_id: 516
         - equals.event_id: 100

andrewkroh · January 16, 2018, 7:01pm

The processors are not being configured because the processors configuration option is specified at an invalid location. Currently you have it indented such that it is a sibling of event_logs, but it needs to be either a sibling of winlogbeat for global usage or a sibling of name and provider for a local processor (local support added in 6.x). Specifying them with the event_log they operate on is best for performance.

What version of Winlogbeat are you using?

winlogbeat.event_logs:
- name: System
  provider:
  - Service Control Manager
  - mfehidk
  - PRIVMAN
  processors:
  - drop_event.when.not.or: 
    - equals.event_id: 7036
    - equals.event_id: 516 
    - equals.event_id: 100

If you enable debug logging (-e -d "processors") you will see logs like:

2018/01/16 18:56:22.772468 condition.go:97: DBG [processors] New condition equals: map[event_id:7036]
2018/01/16 18:56:22.772479 condition.go:97: DBG [processors] New condition equals: map[event_id:516]
2018/01/16 18:56:22.772488 condition.go:97: DBG [processors] New condition equals: map[event_id:100]
2018/01/16 18:56:22.772496 condition.go:97: DBG [processors] New condition equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]
2018/01/16 18:56:22.772506 condition.go:97: DBG [processors] New condition not equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]
2018/01/16 18:56:22.772519 processor.go:49: DBG [processors] Processors: drop_event, condition=not equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]

saikrishnagaddipati · January 16, 2018, 8:08pm

Hi @andrewkroh, appreciate your quick reply
I am using winlogbeat-5.6.3 version.
I tried your config but got the below error

2018-01-16T12:18:56-07:00 CRIT Exiting: Failed to create new event log. 1 error: Invalid event log key 'processors' found. Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwarded, ignore_older, include_xml, level, name, provider, tags

But when i make processors a sibling of winlogbeat as below its working
winlogbeat.event_logs:
- name: System
provider:
- Service Control Manager
- mfehidk
- PRIVMAN
- test
processors:
- drop_event.when.not.or:
- equals.event_id: 7036
- equals.event_id: 516
- equals.event_id: 100
- equals.event_id: 555

andrewkroh · January 16, 2018, 8:20pm

Like I said, this configuration is only supported in 6.x.

You'll need to use a global processor configuration because you are not using 6.x.

winlogbeat.event_logs:
- name: System
  provider:
  - Service Control Manager
  - mfehidk
  - PRIVMAN

processors:
- drop_event.when.not.or: 
  - equals.event_id: 7036
  - equals.event_id: 516 
  - equals.event_id: 100

saikrishnagaddipati · January 16, 2018, 8:53pm

thankyou @andrewkroh

grants · January 23, 2018, 5:08pm

PS C:\Apps\winlogbeat-6.1.2-windows-x86_64> .\winlogbeat.exe
Exiting: Failed to create new event log. 1 error: Invalid event log key 'processors' found. Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwarded, ignore_older, include_xml, level, name, provider, tags

I have tried sticking processors all over the place in winlogbeat section and haven't gotten it to work yet besides in the global section, better documentation is needed for 6.x+.

andrewkroh · January 23, 2018, 5:25pm

Sounds like you have hit a config validation bug in 6.x. The processors key is missing from the list in that error message. Until that's addresseed only processors at the top-level will work.

I believe processors should be included in the list at:

github.com

elastic/beats/blob/master/winlogbeat/eventlog/factory.go#L13


import (
	"fmt"
	"sort"
	"strings"


	"github.com/joeshaw/multierror"


	"github.com/elastic/beats/libbeat/common"
)


var commonConfigKeys = []string{"api", "name", "fields", "fields_under_root", "tags"}


// ConfigCommon is the common configuration data used to instantiate a new
// EventLog. Each implementation is free to support additional configuration
// options.
type ConfigCommon struct {
	API  string `config:"api"`  // Name of the API to use. Optional.
	Name string `config:"name"` // Name of the event log or channel.
}


type validator interface {

Can you please open an issue for this on Github.

andrewkroh · January 30, 2018, 3:49am

system · February 27, 2018, 3:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Processor [drop_event] not dropping events Beats winlogbeat	9	9108	February 16, 2017
Drop_event.when.not.or: - not working, Please help Beats winlogbeat	2	549	February 12, 2020
Drop_event in 7.6.0 Beats winlogbeat	2	367	March 31, 2020
Winlogbeat 7.0 not dropping events Beats winlogbeat	2	875	May 13, 2019
Processor not dropping events Beats Winlogbeat Beats winlogbeat	3	809	April 29, 2021

Winlogbeat processor not dropping events

Related topics