Unable to filter winlogbeats events by keywords field

[vbohata]

Version: v5.0.0-alpha5
Operating System: Windows Server 2012R2

I am unable to exclude events by keywords field. Config option " keywords: "Audit Success" " does not work, in beats log is:

2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 
2016-08-11T10:05:43+02:00 WARN unexpected type []string in contains condition as it accepts only strings. 

Config option " keywords: ["Audit Success"] " also does not work but there is no error in beats log.

Processors config:

processors:
  - drop_event:
      when:
        and:
          - equals:
              log_name: Security
          - contains:
              keywords: ["Audit Success"]

[spacewander]

Try keywords: "Audit Success"?

[vbohata]

I tried it, with this, there is error in log: unexpected type []string

[ruflin]

@andrewkroh Not sure if this could be related to #2209 ?

[vbohata]

There is no more info in log. Just repeated "WARN unexpected type []string in contains condition as it accepts only strings." line.

[andrewkroh]

In the event log record, keywords is an array. The contains filter only accepts a string value as its input which is what causes the warning and the filter to not work. We should enhance it to check each element in the array.

And like @spacewander said, it should be configured as keywords: "Audit Success".

[andrewkroh]

I opened PR #2248 to make contains work on arrays of strings.

[andrewkroh]

This should be fixed in 5.0.