This seems to not be working. Messages that I want dropped (postgres messages that contain the string "password") are being sent to Elasticsearch. Can someone help me with the error in my ways?
elasticsearch-output.conf
filter {
if [_type] == "postgres" and [message] =~ /PASSWORD|password|Password/ {
drop {}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
}
After much trial and error, the config below seems to be doing what I want.
Im not sure why the original drop {} was not working? Also, is there a better way to handle case when matching? I tried /password/i but did not pass a configtest. Any pointers appreciated.
filter {
if [type] == "postgres" and [message] =~ /password/ or [message] =~ /Password/ or [message] =~ /PASSWORD/ {
mutate {
add_tag => [ "drop" ]
}
}
}
output {
if "drop" not in [tags] {
elasticsearch { hosts => ["localhost:9200"] }
}
}
Im not sure why the original drop {} was not working?
Because you used _type instead of type?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.