You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Winlogbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
For example, the following filter configuration drops a few fields that are rarely used (
version) and one nested field,
processors: - drop_fields: fields: [winlog.provider_guid, winlog.process.pid, winlog.process.thread.id, winlog.version, winlog.event_data.ErrorSourceTable]