I have ELK running on Ubuntu Server with the intention of it receiving Syslog from firewalls and Filebeat from DNS/DHCP/AD services.
The primary issue is the firewalls make a lot of Syslog noise without there being a way to define which events or facilities get sent on the firewalls side. So I was hoping there was a way to parse the Syslog data in a pipeline.conf file but I'm not sure what syntax I should be using or how to define what it is I would like to ingest. Everything I've tried on my own or copy/pasted has broken ingestion and nothing shows up in Kibana.
Ideally, I just want to drop all of the local performance monitoring. That leaves traffic and VPN information and critical alerts for intrusions.