I am using logstash with syslog plugin to collect logs from vsphere. The problem is that I get a lot of unnecessary entries, over 12,000 different rows per minute.
I want to whitelist only the values that I want in the message field.
For example, I want to keep logs only if the "Message" field contains an administrator account.
Can I split "Message" into fields and remove unnecessary ones.
I give an example of configs:
<134>1 2023-03-19T10:51:28.792214+00:00 vs vsan-health-main - - - (vim.cluster.VsanObjectSpaceSummary) {
I don't want to store such a field
<14>1 2023-03-19T10:37:08.771275+00:00 vs vpxd 17644 - - Event [29210] [1-1] [2023-03-19T10:37:08.770929Z] [vim.event.VmRemovedEvent] [info] [VSPHERE.LOCAL\Hramoff] [Datacenter-1] [29208] [Removed <mark>CLI</mark> on esxi2.vs.loc from Datacenter-1]
and this is the field I want to store