Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to filter winlogbeats events by keywords field #2237

Closed
vbohata opened this issue Aug 11, 2016 · 7 comments

Comments

Projects
None yet
4 participants
@vbohata
Copy link

commented Aug 11, 2016

Version: v5.0.0-alpha5
Operating System: Windows Server 2012R2

I am unable to exclude events by keywords field. Config option " keywords: "Audit Success" " does not work, in beats log is:

2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 

Config option " keywords: ["Audit Success"] " also does not work but there is no error in beats log.

Processors config:

processors:
  - drop_event:
      when:
        and:
          - equals:
              log_name: Security
          - contains:
              keywords: ["Audit Success"]
@spacewander

This comment has been minimized.

Copy link
Contributor

commented Aug 11, 2016

Try keywords: "Audit Success"?

@vbohata

This comment has been minimized.

Copy link
Author

commented Aug 11, 2016

I tried it, with this, there is error in log: unexpected type []string

@ruflin

This comment has been minimized.

Copy link
Collaborator

commented Aug 11, 2016

@andrewkroh Not sure if this could be related to #2209 ?

@ruflin ruflin added the Winlogbeat label Aug 11, 2016

@vbohata

This comment has been minimized.

Copy link
Author

commented Aug 11, 2016

There is no more info in log. Just repeated "WARN unexpected type []string in contains condition as it accepts only strings." line.

@andrewkroh

This comment has been minimized.

Copy link
Member

commented Aug 11, 2016

In the event log record, keywords is an array. The contains filter only accepts a string value as its input which is what causes the warning and the filter to not work. We should enhance it to check each element in the array.

And like @spacewander said, it should be configured as keywords: "Audit Success".

@andrewkroh

This comment has been minimized.

Copy link
Member

commented Aug 11, 2016

I opened PR #2248 to make contains work on arrays of strings.

@andrewkroh

This comment has been minimized.

Copy link
Member

commented Nov 3, 2016

This should be fixed in 5.0.

@andrewkroh andrewkroh closed this Nov 3, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.