Hi, I've spent a couple of days looking at filtering and probably just cannot get the basic nuances for what I want to do to make it work.
Basic set up. I have an auditbeat running on a linux server sending over to logstash on another linux server that has ELK set up on it. We want to do the filtering on the ELK server rather than at the auditbeat end.
Set-up in audit beat is using the audit module with a number of auditd rules. These are happily being received by ELK and display happily in Kibana. Problem is that 90+% of what is being received is noise and I want to use logstash to filter out the noise before it gets to ES.
I've tried a number of filters that just seemed to be ignored and still send everything through. Examples of good filters on the internet are few and far between. What I need is an example of a working one that I can then build on and expand. It is just getting that first one that is eluding me.
In the message is audit.kernel.actor.attrs.uid and I want to filter out any that have nagios as the ID.
Any help gratefully received.
(I've not put any examples of what I've tried as I have no idea if any are in anyway close to being right!)