At the moment i have this filter working to drop some lines
## var_log_messages filter
filter {
if [type] == "var_log_messages" {
grok {
patterns_dir => ["/etc/logstash/patterns/"]
match => { "message" => "%{SYSLOGTIMESTAMP:var_log_messages_timestamp} %{SYSLOGHOST:var_log_messages_hostname} %{DATA:syslog_program}(?:\[%{POSINT:var_log_secure_pid}\])?: %{GREEDYDATA:message}" }
overwrite => [ "message"]
}
##ignore unknown spam line
if ([message] =~ "(Got|Sent) message type[=](method\_return|method\_call|signal) (sender)\=(n\/a|\:1\.0|org\.freedesktop\.[a-zA-Z0-9]+|[0-9\:\.]+) destination[=](n\/a|\:1\.0|org\.freedesktop\.[a-zA-Z0-9]+) object\=\/org\/freedesktop\/[a-zA-Z0-9\/\_]+ interface\=org\.freedesktop\.[a-zA-Z0-9]+"){
drop{}
}
else if ([message] =~ "GSSAPI client step ([0-9]{1,2})"){
drop{}
}
else if ([message] =~ "nss\_getpwnam\: name \'root\@test\.cloud\' does not map into domain \'test\.nl"){
drop{}
}
}
}
But i want to make an universal way to drop unwanted log lines with grok patterns.
i've made a custom pattern to wich matches a part of an unwanted message.
it would be nice to add some line like:
else if ([message] =~ "[%{IPA_TIMESTAMP}] attrlist_replace - attr_replace (nsslapd-referral, ldap://%{HOSTNAME:host}"){
}
but grok isnt useable in a logstash conditional.
How could i check multiple matches with grok and drop the unwanted?