Excluding files from being indexed


(Alex) #1

To whom this may concern,

For my given use case, I collect syslogs which help identify unusual behavior on our systems. On occasion, however, our InfoSec team runs vulnerability scans (etc) and our ElasticSearch server get's overwhelmed by the massive amounts of logs generated. For this purpose I would like to exclude any logs to be indexed that contain a particular static IP.

Any ideas or suggestions are welcome.
Respectfully,

Alex


(Alex) #2

Answered my own question:

It all depends on how logs are collected. In this case, I filtered for an expression much like this:
if $msg contains "IP" then ~

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/s1-basic_configuration_of_rsyslog.html

This question probably belongs in the Logstash category.


(system) #3