Excluding files from being indexed

sashasec · January 20, 2016, 11:36pm

To whom this may concern,

For my given use case, I collect syslogs which help identify unusual behavior on our systems. On occasion, however, our InfoSec team runs vulnerability scans (etc) and our ElasticSearch server get's overwhelmed by the massive amounts of logs generated. For this purpose I would like to exclude any logs to be indexed that contain a particular static IP.

Any ideas or suggestions are welcome.
Respectfully,

Alex

sashasec · January 21, 2016, 12:48am

Answered my own question:

It all depends on how logs are collected. In this case, I filtered for an expression much like this:
if $msg contains "IP" then ~

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html

This question probably belongs in the Logstash category.

Topic		Replies	Views
Discovery - Exclude wildcard? Elasticsearch	2	333	August 14, 2018
Preventing specific events from being indexed Logstash	3	326	April 28, 2021
Best practices for exclusions in logstash Logstash	2	544	December 28, 2017
Rsyslog to logstash help Logstash	4	1365	December 17, 2017
Exclude internal ip's Kibana	2	6254	July 6, 2017

Excluding files from being indexed

Related topics