Winlogbeat processor not dropping events

I want to drop events if provider is not Service Control Manager or mfehidk or PRIVMAN AND if event_id is not 7036 or 516 or 100.
However this doesnot seems to work i am getting events that should be blocked? Any suggestions??

winlogbeat:
  event_logs:
  - name: System
    provider:
    - Service Control Manager
    - mfehidk
    - PRIVMAN
  processors:
  - drop_event.when:
      - not.or: 
         - equals.event_id: 7036
         - equals.event_id: 516
         - equals.event_id: 100

The processors are not being configured because the processors configuration option is specified at an invalid location. Currently you have it indented such that it is a sibling of event_logs, but it needs to be either a sibling of winlogbeat for global usage or a sibling of name and provider for a local processor (local support added in 6.x). Specifying them with the event_log they operate on is best for performance.

What version of Winlogbeat are you using?

winlogbeat.event_logs:
- name: System
  provider:
  - Service Control Manager
  - mfehidk
  - PRIVMAN
  processors:
  - drop_event.when.not.or: 
    - equals.event_id: 7036
    - equals.event_id: 516 
    - equals.event_id: 100 

If you enable debug logging (-e -d "processors") you will see logs like:

2018/01/16 18:56:22.772468 condition.go:97: DBG [processors] New condition equals: map[event_id:7036]
2018/01/16 18:56:22.772479 condition.go:97: DBG [processors] New condition equals: map[event_id:516]
2018/01/16 18:56:22.772488 condition.go:97: DBG [processors] New condition equals: map[event_id:100]
2018/01/16 18:56:22.772496 condition.go:97: DBG [processors] New condition equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]
2018/01/16 18:56:22.772506 condition.go:97: DBG [processors] New condition not equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]
2018/01/16 18:56:22.772519 processor.go:49: DBG [processors] Processors: drop_event, condition=not equals: map[event_id:7036] or equals: map[event_id:516] or equals: map[event_id:100]

Hi @andrewkroh, appreciate your quick reply
I am using winlogbeat-5.6.3 version.
I tried your config but got the below error

2018-01-16T12:18:56-07:00 CRIT Exiting: Failed to create new event log. 1 error: Invalid event log key 'processors' found. Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwarded, ignore_older, include_xml, level, name, provider, tags

But when i make processors a sibling of winlogbeat as below its working
winlogbeat.event_logs:
- name: System
provider:
- Service Control Manager
- mfehidk
- PRIVMAN
- test
processors:
- drop_event.when.not.or:
- equals.event_id: 7036
- equals.event_id: 516
- equals.event_id: 100
- equals.event_id: 555

Like I said, this configuration is only supported in 6.x.

You'll need to use a global processor configuration because you are not using 6.x.

winlogbeat.event_logs:
- name: System
  provider:
  - Service Control Manager
  - mfehidk
  - PRIVMAN

processors:
- drop_event.when.not.or: 
  - equals.event_id: 7036
  - equals.event_id: 516 
  - equals.event_id: 100 

thankyou @andrewkroh

PS C:\Apps\winlogbeat-6.1.2-windows-x86_64> .\winlogbeat.exe
Exiting: Failed to create new event log. 1 error: Invalid event log key 'processors' found. Valid keys are api, batch_read_size, event_id, fields, fields_under_root, forwarded, ignore_older, include_xml, level, name, provider, tags

I have tried sticking processors all over the place in winlogbeat section and haven't gotten it to work yet besides in the global section, better documentation is needed for 6.x+.

Sounds like you have hit a config validation bug in 6.x. The processors key is missing from the list in that error message. Until that's addresseed only processors at the top-level will work.

I believe processors should be included in the list at:

Can you please open an issue for this on Github.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.