Filter specific Message with logstash before sending to ElasticSearch

Hello,

I had like to know if it is possible to send only specific log messages to elasticsearch via logstash? E.G let's say I have these messages in my log file:

2015-08-14 12:21:03 [31946] PASS level2 10.249.10.70 level2 http://google.com
2015-08-14 12:25:00 [2492] domainlist "/etc/ufdbguard/blacklists/filehosting/domains
2015-08-14 12:21:03 [31946] PASS level2 10.249.10.41 level2 http://yahoo.com

I had like to skip the second line when logstash/log forwarder process this log, is it possible to instruct it to skip any log message with the keyword 'domainlist'? Or allow only log messages with the keyword 'PASS'?

Thanks in advance for your help :smile:

Use a conditional:

output {
  if "PASS" in [message] {
    elasticsearch {
      ...
    }
  }
}
1 Like

Thanks for your help :slight_smile: