Graylog Version: 5.2.0
Sidecar Version: 1.4.0-1
Hello,
In order to save disk space in the future, I do not want to receive certain Windows events in the graylog.
I have read that there is the possibility to specify “drop_event.when.or” in the sidecar configuration.
However, if I add this in different ways, the events are still displayed in Graylog, or the sidecar gets the status “Failed”. I have not yet been able to find a suitable solution on the Internet.
- Example of new configuration which does not work
Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}output.logstash:
hosts: [“Server:Port”]
path:
data: ${sidecar.spoolDir!“C:\Program Files\Graylog\sidecar\cache\winlogbeat”}\data
tags:
- windows
winlogbeat.event_logs:
- name: Application
ignore_older: 48h
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4673
- name: System
ignore_older: 48h- name: Security
ignore_older: 48h- name: Microsoft-Windows-LSA/Operational
ignore_older: 48h
- Previous configuration which works
Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}output.logstash:
hosts: [“Server:Port”]
path:
data: ${sidecar.spoolDir!“C:\Program Files\Graylog\sidecar\cache\winlogbeat”}\data
tags:
- windows
winlogbeat.event_logs:
- name: Application
ignore_older: 48h- name: System
ignore_older: 48h- name: Security
ignore_older: 48h- name: Microsoft-Windows-LSA/Operational
ignore_older: 48h
I have also tried with “drop_event.when.and” or with numbers in quotation marks.
I would be grateful for your help.
Greetings From Germany