Forgive me if I've missed this in the docs as I couldn't see it.
Is it possible to drop an entire log based on a condition?
i.e. eventlog_id 5156 is never needed and is disabled on the majority of servers we have. Rather than output these to elasticsearch can any WindowsEventLog types with the eventlog_id field = 5156 just be ignored rather than outputting to elasticsearch?
By "drop an entire log" I assume you mean drop the current event. Yes, that's easy:
filter {
if [eventlog_id] == 5156 {
drop { }
}
}
This assumes that eventlog_id is an integer field. If it's a string field (which it probably shouldn't be) you'll have to double quote the value (i.e. use "5156" instead).
I believe so. I'm basically looking to prevent any logs with eventlog_id equalling 5156 from being passed to the output and therefore never being indexed by Elasticsearch.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.