I am using logstash with syslog plugin to collect logs from vsphere. The problem is that I get a lot of unnecessary entries, over 12,000 different rows per minute.
I want to whitelist only the values that I want in the message field.
For example, I want to keep logs only if the "Message" field contains an administrator account.
Can I split "Message" into fields and remove unnecessary ones.
I give an example of configs:
<134>1 2023-03-19T10:51:28.792214+00:00 vs vsan-health-main - - - (vim.cluster.VsanObjectSpaceSummary) {
I don't want to store such a field
<14>1 2023-03-19T10:37:08.771275+00:00 vs vpxd 17644 - - Event [29210] [1-1] [2023-03-19T10:37:08.770929Z] [vim.event.VmRemovedEvent] [info] [VSPHERE.LOCAL\Hramoff] [Datacenter-1] [29208] [Removed <mark>CLI</mark> on esxi2.vs.loc from Datacenter-1]
can you elaborate on how you define an administrator account so the parsing logic can reflect that task.
In some cases, the syslog message may contain an "AUTHOR" or "USER" field that identifies the user account associated with the message. In other cases, it may look for patterns in the "message" field itself that indicate that the message is from an administrator account.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.