Currently on Elastic Stack 6.3.0. We (for now) use rsyslog as a central log collection and that server sends it in json format to Elastic Stack. All that is working good except I'm trying to filter out system login(s) by saying not to show UserName if it has a $ at the end of it such as DOMAIN\MYLAPTOP$.
I've tried doing UserName:*$ and UserName:*$* and setting it to exclude but it still shows it up. If I drop it in the logstash configuration file it drops fine. Any ideas?
Since this was being recognized in the logstash configuration files I just added a field and said if "$" in [username] then mark it as service logon - it adds the field correctly and I can filter out from there.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.