[quote="ssi, post:1, topic:155734"]
is it possible to get winlogbeat to drop the event if event id 3 contains one of the ip adresses mentioned above?
It is possible. But in your original post you used CIDR ranges and Beats do not have support for matching CIDR ranges so you would have to use exact IP addresses or a regular expression.
So if the logic you want is drop_event when `(event_id == 3) AND (event_data.DestinationIp == "22.214.171.124" OR event_data.DestinationIp == "126.96.36.199")` then this should work:
- equals.event_id: 3
- equals.event_data.DestinationIp: '188.8.131.52'
- equals.event_data.DestinationIp: '184.108.40.206'
Indentation is critical in YAML.http://www.yamllint.com/
is your friend and can be used to check that your YAML is valid.