You can define processors in your configuration to process events before they are sent to the configured output. The libbeat library provides processors for:
- reducing the number of exported fields
- enhancing events with additional metadata
- performing additional processing and decoding
Each processor receives an event, applies a defined action to the event, and returns the event. If you define a list of processors, they are executed in the order they are defined in the Winlogbeat configuration file.
event -> processor 1 -> event1 -> processor 2 -> event2 ...
For example, the following filter configuration drops a few fields that are rarely used (
version) and one nested field,
processors: - drop_fields: fields: [provider_guid, process_id, thread_id, version, event_data.ErrorSourceTable]