We are using winlogbeat agent.
Can we discard or drop log messages based on a criteria defined in elk stack.
We dont want to drop logs based on winlog yml config on systems but
we want to drop logs centrally.Is it possible.
Why not? It seems a waste to ship them and drop them.
there is some policy deployed which does not allow to create these config files on various hosts thats why was looking at other option
Ok. You could send all the logs to another Winlogbeat instance and drop them there.
Use an ingest pipeline DROP
1 Like
Hi Rugenl,
Do you mean to create ingest pipeline DROP on winlogbeat or Elastic?
Can you please share few examples if feasible
Regards
Ashish
Ok.Thanks
Starting in 8.0.0, winlogbeat ships ingest pipelines. I haven't switched my winlogbeat agents to 8 yet, but I have loaded the ingest pipelines. I think all winlogbeat events are sent to ingest pipeline winlogbeat-{agent.version}-routing, then some events are sent to other pipelines from there. You could add your drop logic by modifying that pipeline.
If you're pre 8.x, you would have to create an ingest pipeline and change your winlogbeat to specify that ingext pipeline.
Some links:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.